Particle.news
Download on the App Store
6 ARTICLES
·
5h ago

Researchers Unveil 'Pixnapping' Android Attack That Lets Apps Steal On‑Screen 2FA Codes

Google says a September update only partly addresses CVE-2025-48561, with a further fix planned for December.

Image
Image
Image

Overview

  • Pixnapping exploits the GPU.zip timing side channel plus Android intents, activity layering, the window blur API, and VSync callbacks to infer pixel values from other apps and web pages.
  • Demonstrations on Google Pixel 6–9 and Samsung Galaxy S25 running Android 13–16 show 6‑digit Google Authenticator codes can be recovered on Pixels in roughly 14–26 seconds, with noisy results on the Galaxy S25.
  • A malicious app needs no special permissions and can coerce target apps to render content, then leak roughly 0.6–2.1 pixels per second—enough to reconstruct short, high‑value data.
  • Google is tracking the flaw as CVE-2025-48561, reports no evidence of in‑the‑wild exploitation, delivered a partial mitigation in September, and plans an additional patch in December.
  • The research team says they found a workaround to the September blur‑rate limit and also disclosed an intent‑based method to enumerate installed apps that Google has marked as won’t fix.