Overview

• The technique lets a malicious app with no special permissions infer pixels from other apps and websites, exposing items such as 2FA codes, private messages, emails, and location timelines.
• Pixnapping combines the GPU.zip timing side channel with Android features including intents, stacked semi-transparent activities, the window blur API, and VSync measurements to reconstruct screen content.
• In tests on Pixel 6, 7, 8, and 9, researchers recovered full six‑digit Google Authenticator codes in 73%, 53%, 29%, and 53% of 100 trials, typically within about 14–26 seconds; the team could not meet the 30‑second window on a Galaxy S25 due to noise.
• The leak rate is roughly 0.6–2.1 pixels per second, which the researchers say is slow but sufficient to extract time‑limited authentication codes on several Pixel models.
• Tracked as CVE‑2025‑48561, the issue received a partial mitigation in September; researchers disclosed a private workaround that bypasses it, Google reports no in‑the‑wild exploitation, and an app‑list probing side effect remains marked “won’t fix.”