Particle.news
Download on the App Store
16 ARTICLES
·
5h ago

Researchers Reveal 'Pixnapping' Android Attack That Steals 2FA Codes as Google Targets December Fix

Google’s September patch only partly mitigates the flaw, with a broader fix scheduled for December.

Image
Image
Image
Image

Overview

  • Academics detailed Pixnapping at ACM CCS, showing a malicious app can reconstruct on‑screen data from other apps, including Google Authenticator codes, Gmail, Maps timelines, Signal, and Venmo.
  • The technique uses Android intents to render victim pixels, overlays semi‑transparent activities to trigger blur operations, and exploits GPU.zip timing to infer pixel values without special permissions.
  • Researchers demonstrated the attack on Pixel 6–9 and Samsung Galaxy S25 running Android 13–16, recovering six‑digit 2FA codes in under 30 seconds in many tests.
  • Google assigned CVE‑2025‑48561, shipped a partial mitigation in September that limits blur calls, and says a workable bypass exists; a fuller fix is planned for December and no in‑the‑wild use has been detected on Play.
  • Throughput is low (about 0.6–2.1 pixels per second) but sufficient for short‑lived codes, the GPU.zip hardware side channel remains unpatched by vendors, and an app‑list probing bypass was labeled “won’t fix.”