A new side-channel attack called Pixnapping enables a malicious Android app with no permissions to extract sensitive data by stealing pixels displayed by applications or websites, and reconstructing them to derive the content.

The malicious app required to make a “Pixnapping” attack work requires no permissions.

No reports of active exploitation yet

: GPU-based timing attack inspired by decade-old iframe technique