A team of researchers at Carnegie Mellon University has identified a new attack method that can allow malicious applications to steal sensitive data from Android devices.
Named Pixnapping, the attack has been demonstrated against Google and Samsung phones. Google has released one patch for the Android operating system and is working on an additional fix to protect devices against potential attacks.
In order to launch a Pixnapping attack, an attacker has to trick the targeted user into installing a malicious application on their Android phone. The malicious app does not need any Android permissions in order to conduct an attack.
According to the researchers, the attack starts with the malicious app invoking the application from which data will be stolen. It then induces graphical operations on pixels in the targeted app that are known to be associated with a region of the screen where sensitive data is typically displayed. The GPU side-channel attack named GPU.zip, which researchers disclosed back in 2023, is then used to steal the targeted pixels, one pixel at a time.
These operations take place in the background while the victim is viewing the malicious application.
“Pixnapping forces sensitive pixels into the rendering pipeline and overlays semi-transparent activities on top of those pixels via Android intents. To induce graphical operations on these pixels, our instantiations use Android’s window blur API. To measure rendering time, our instantiations use VSync callbacks,” the researchers explained.
“Conceptually, it is as if the malicious app was taking a screenshot of screen contents it should not have access to,” they added.
The researchers successfully reproduced the attack on Pixel and Samsung phones, but they believe devices from other vendors are likely vulnerable as well. During their tests, they managed to recover sensitive data from websites such as Gmail and Google Accounts, as well as apps such as Venmo, Signal, Google Authenticator, and Google Maps.
The Pixnapping attack can be used to steal sensitive data such as 2FA codes, emails, and chat messages, but only information that is visible on the screen is vulnerable.
Many of the researchers’ tests targeted Google Authenticator, from which they managed to steal 2FA codes in under 30 seconds (the speed of the attack is important in this case as 2FA codes in Authenticator expire after 30 seconds). Google Authenticator makes for a good target as the position of the 2FA code on the screen is highly predictable, enabling its theft pixel by pixel.
However, during their tests the researchers achieved a success rate ranging between 29% and 73% on Pixel devices for the recovery of 2FA codes from the Google Authenticator app. On Samsung Galaxy S25 they were unable to recover the codes within 30 seconds.
Google was informed about the vulnerability in February 2025. The CVE identifier CVE-2025-48561 was later assigned and a patch was rolled out with the Android updates released in September. The researchers have managed to bypass Google’s patch and the tech giant is now working on an additional fix that should become available in December.
Google told SecurityWeek that it has not seen any evidence of in-the-wild exploitation. The tech giant also noted that, based on its current detections, no malicious apps exploiting this vulnerability have been found on Google Play.
Related: Apple Bug Bounty Update: Top Payout $2 Million, $35 Million Paid to Date
Related: Decade-Old Pixie Dust Wi-Fi Hack Still Impacts Many Devices
Related: Samsung Patches Zero-Day Exploited Against Android Users
