Security researchers have developed a new technique to extract sensitive information from Android apps—including two-factor authentication (2FA) codes and chat messages—in less than a minute.
The technique, dubbed Pixnapping, was demonstrated on Google Pixel phones and Samsung Galaxy S25 devices and can be adapted to target other Android devices, according to researchers from the University of California, the University of Washington, and Carnegie Mellon University. Their findings were detailed in a paper titled “Pixnapping: Bringing Pixel Stealing out of the Stone Age”, published on Monday, October 13.
Pixnapping exploits the Android rendering pipeline to steal visual data displayed on-screen. “Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping,” the researchers explained. Data such as 2FA codes, email content, and chat messages are vulnerable, though non-visible data like stored secret keys cannot be accessed.
Google said it patched the vulnerability, identified as CVE-2025-48561, in its September security bulletin and will issue further fixes in December. The company said it had not seen evidence of the bug being exploited in the wild. However, the researchers claim that modified versions of the attack still work even after the patch is installed.
The attack involves tricking a user into installing a malicious app that uses Android APIs to force other apps to display sensitive information. By measuring pixel rendering times at specific coordinates, the attacker can reconstruct the screen’s content—similar to taking a screenshot without permission.
Pixnapping is similar to the GPU.zip side-channel attack uncovered in 2023, highlighting persistent gaps in mobile security defenses.
