Pixnapping attack can steal 2FA codes from Android devices using onscreen pixels

UPDATE: 2025/10/14 19:49 EST BY CHRIS THOMAS

Google reached out with clarification.

As told to Android Police by a Google spokesperson: "We issued a patch for CVE-2025-48561 in the September Android security bulletin, which partially mitigates this behavior. We are issuing an additional patch for this vulnerability in the December Android security bulletin. We have not seen any evidence of in-the-wild exploitation."

Google said that the September patch followed the initial vulnerability report. However, after a researcher bypassed the first fix with an updated attack, Google developed a more comprehensive patch that will be issued in December.

Additionally, Google pointed out that exploiting the vulnerability requires specific data about the targeted device and, even then, the researchers noted a low success rate. Based on Google's current detections, the Google Play Store does not contain any malicious apps exploiting the vulnerability.

A team of academics says it has found a way to rip sensitive onscreen data from Android devices pixel-by-pixel — fast enough to snatch time-based two-factor authentication (2FA) codes in under 30 seconds. The technique, dubbed Pixnapping and reported on by The Hacker News, apparently targets Google and Samsung phones tested on Android 13 through 16, but the authors argue the necessary ingredients exist across the broader Android ecosystem.

How the screen-spying flaw theoretically works

And what it means for users

Pixnapping isn’t another screenshot permission abuse. It’s a side-channel pipeline that abuses how Android layers and processes windows. A malicious app (even with all special permissions disabled) can force “victim” app content into the rendering path via intents, then stack semi-transparent activities and trigger visual effects to leak information about each pixel’s value. Repeat that loop, and you can reconstruct whatever’s on screen, including digits in Google Authenticator, bits of a Google Maps Timeline, or other sensitive UI elements.

That flow isn’t new; it actually builds on GPU.zip, a 2023 disclosure showing that GPU compression behavior can be used for cross-origin pixel theft in browsers. Here, researchers combine that hardware quirk with Android’s window blur API to measure pixel-dependent timing differences and exfiltrate data from non-browser apps. In short: no screenshots, just physics and clever scheduling.

Google has assigned the issue CVE-2025-48561 (CVSS 5.5) and shipped mitigations in the September 2025 Android Security Bulletin, warning that spammy blur requests can both indicate and enable pixel stealing. However, the researchers say there’s already a workaround that re-enables Pixnapping, and Google is working on another fix.

There’s a second headache, too. As a side effect of the technique, an attacker can infer whether an arbitrary app is installed, effectively bypassing Android 11’s restrictions on querying the full app list. Google has reportedly marked that behavior “won’t fix.”

So, what can you do right now? For starters, ensure Play Protect is active, and avoid sideloading sketchy-looking APKs. Overall, be skeptical of apps that insist you open other apps through them, especially if they show odd translucent overlays or blur-heavy transitions.

On the platform side, the researchers recommend letting sensitive apps opt out of compositing tricks and throttling the attacker’s ability to take high-fidelity timing measurements, to make sure these potential attacks remain theoretical. In the meantime, until patches land everywhere, treat unknown apps like they’re standing over your shoulder with a magnifying glass.