Pixnapping Side-Channel Attack Enables Android Apps to Steal Sensitive Data Without Permissions
A newly disclosed side-channel attack, dubbed Pixnapping, has been demonstrated by researchers from several US universities, revealing a significant security vulnerability in Android devices manufactured by Google and Samsung. The Pixnapping technique allows a malicious Android application to covertly extract sensitive on-screen data, including two-factor authentication (2FA) codes, Google Maps timelines, and information from apps such as Signal, Venmo, and Gmail, without requiring any special permissions. The attack leverages a hardware side-channel known as GPU.zip, previously disclosed by some of the same researchers, and exploits Android APIs to force victim pixels into the rendering pipeline. By stacking semi-transparent Android activities, a rogue app can compute on these pixels and reconstruct sensitive information pixel-by-pixel. The researchers successfully demonstrated the attack on Google Pixel models 6 through 9 and the Samsung Galaxy S25, all running Android versions 13 to 16. The attack is notable for its ability to bypass browser-based mitigations and to target both browser and non-browser applications, including Google Authenticator, making it possible to steal 2FA codes in under 30 seconds. The Pixnapping attack does not require the malicious app to request or obtain any special permissions, increasing the risk of exploitation if users are tricked into installing such an app. The technical complexity of the attack is high, requiring deep knowledge of Android internals and graphics hardware, but once developed, the attack could be packaged into seemingly benign apps and distributed through typical malware channels. The researchers disclosed their findings to Google and Samsung in early 2025, prompting Google to issue partial patches, though some workarounds remain and both companies are still working on comprehensive fixes. The underlying methodology of the attack suggests that other Android devices beyond those tested may also be vulnerable, as the exploited APIs and hardware features are common across the platform. The attack highlights the limitations of current Android permission models, as it enables data theft without explicit user consent or awareness. Security experts warn that this vulnerability could be leveraged by sophisticated threat actors to compromise sensitive user data at scale. The research underscores the need for both OS-level and hardware-level mitigations to address such side-channel threats. Users are advised to exercise caution when installing new apps, even from trusted sources, and to stay updated with the latest security patches from device manufacturers. The Pixnapping disclosure has prompted renewed scrutiny of Android's security architecture and the effectiveness of existing app sandboxing and permission controls. Ongoing collaboration between academic researchers and industry vendors is expected to drive further improvements in mobile device security in response to this class of attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Reports note no patch is yet available for Pixnapping
Follow-up coverage stated that there was not yet a fix available for the Android Pixnapping issue at the time of disclosure. The reporting emphasized that attackers could abuse the technique to extract on-screen data, including MFA codes, from affected phones.
Researchers disclose the Android 'Pixnapping' attack
Security researchers disclosed a new Android attack dubbed 'Pixnapping' that allows a malicious app to capture screen contents pixel by pixel and steal sensitive data such as 2FA codes and private messages without needing broad permissions. Multiple outlets reported the disclosure as a newly revealed technique affecting Android devices.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
A New Attack Lets Hackers Steal 2-Factor Authentication Codes From Android Phones
wired.com
Open sourceThis new Android exploit can steal everything on your screen - even 2FA codes
zdnet.com
Open sourceThis new 'Pixnapping' exploit can steal everything on your Android screen - even 2FA codes
zdnet.com
Open sourceAndroid Hack Can Steal 2FA Codes in Seconds, Researchers Find
bitdefender.com
Open sourcePixel-stealing “Pixnapping” attack targets Android devices
malwarebytes.com
Open sourceNew Android Pixnapping attack steals MFA codes pixel-by-pixel
bleepingcomputer.com
Open sourcePixnapping Attack Lets Attackers Steal 2FA on Android
darkreading.com
Open sourceHackers can steal 2FA codes and private messages from Android phones
arstechnica.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Pixnapping Side-Channel Attack Targets Android Devices
Researchers have identified a new side-channel attack technique, dubbed "Pixnapping," that poses significant privacy risks to Android device users. The Pixnapping attack enables malicious applications to capture on-screen pixels from other apps, allowing attackers to steal sensitive information such as one-time authentication codes, private messages, and browser content without requiring direct access to the targeted data. This method leverages weaknesses in Android's screen access controls and app overlay permissions, making it possible for a rogue app to surreptitiously observe and extract visual data from other running applications. The attack highlights the growing sophistication of side-channel threats on mobile platforms, where traditional security boundaries are bypassed through indirect data leakage. Security researchers emphasize that the prevalence of mobile devices in authentication, communication, and financial transactions amplifies the potential impact of such attacks. Organizations that have implemented stricter runtime permissions and enforced rigorous app vetting processes have demonstrated reduced exposure to these risks and improved detection times. The Pixnapping technique was featured in both dedicated security research and broader industry news coverage, underscoring its relevance and the urgency for mitigation. Security experts recommend that Android users and enterprises prioritize the hardening of screen access controls and limit the use of app overlays to trusted applications only. The attack also serves as a reminder of the need for continuous monitoring and rapid response capabilities in mobile security operations. While no widespread exploitation has been reported yet, the proof-of-concept demonstrates the feasibility of extracting highly sensitive data through visual side channels. The research community is calling for platform-level changes in Android to address these privacy gaps and prevent similar attacks in the future. Mobile security vendors are updating their threat detection models to identify suspicious overlay and screen-capturing behaviors. The Pixnapping attack is part of a broader trend of increasingly sophisticated threats targeting the mobile ecosystem. End users are advised to be cautious about granting overlay permissions and to regularly review app privileges. The incident has prompted renewed discussion about the balance between app functionality and user privacy on Android devices. Security teams are urged to stay informed about emerging side-channel techniques and to adapt their defenses accordingly.
Mar 21, 2026
Android Mobile Apps Expose Sensitive User Data Through Security Weaknesses and Side-Channel Attacks
Researchers have uncovered significant security and privacy issues in Android mobile applications, particularly those in the healthcare sector. A comprehensive study analyzed 272 healthcare-related Android apps, revealing that many transmit sensitive user data without encryption, store files insecurely, or share information with third-party components without adequate safeguards. The research team employed multiple static analysis tools, including MobSF, RiskInDroid, and OWASP Mobile Audit, to assess the security posture of these apps. MobSF identified weaknesses in permissions, network handling, certificate management, and manifest configuration, with app security scores ranging from 35 to 60 out of 100. RiskInDroid found that 150 apps used undeclared permissions, potentially creating hidden channels for data exfiltration, and flagged proprietary permissions that could bypass standard Android security controls. The OWASP Mobile Audit of 95 apps detected issues such as unencrypted local storage, hardcoded credentials, and missing input validation, mapping these weaknesses to the OWASP Mobile Top 10 categories. In parallel, researchers have demonstrated that some Android apps can bypass operating system permissions to access sensitive data through hidden methods and side-channel attacks. One such attack, dubbed 'Pixnapping' and tracked as CVE-2025-48561, allows a malicious app to capture screen display pixels, potentially exposing sensitive information like two-factor authentication codes. The Pixnapping attack was demonstrated on multiple devices, including Google Pixel 6 through 9 and Samsung Galaxy S25, and is conceptually similar to a 12-year-old browser-based data-stealing technique. Despite previous attempts by Google to address this vulnerability, researchers showed that the flaw remains exploitable on Android versions 13 to 16. The ability of apps to sidestep permissions and leverage hardware side channels raises serious concerns about the effectiveness of current Android security controls. These findings highlight the urgent need for stronger app vetting processes, improved permission management, and enhanced user awareness regarding the risks of installing mobile applications. The exposure of sensitive healthcare data is particularly alarming, given the potential for identity theft, fraud, and privacy violations. Security experts recommend that users exercise caution when granting permissions to apps and that developers adhere to best practices for secure coding and data protection. The research underscores the importance of regular security assessments and updates to address emerging threats in the mobile ecosystem. Industry standards such as the OWASP Mobile Top 10 provide a useful framework for identifying and mitigating common vulnerabilities. The ongoing discovery of new attack vectors, such as Pixnapping, demonstrates that attackers continue to innovate, necessitating a proactive and layered approach to mobile security. Organizations handling sensitive data, especially in healthcare, must prioritize mobile app security to protect user privacy and comply with regulatory requirements. The convergence of insecure app design and advanced attack techniques poses a growing threat to the confidentiality and integrity of user data on Android devices.
Mar 21, 2026
Google Pixel November Feature Drop and Android Pixnapping Vulnerability
Google has released a November feature update for Pixel phones, introducing several new capabilities focused on user security and convenience. Notably, the update adds scam detection for messages, which alerts users to potentially fraudulent communications, and notification summaries to help users manage important messages. These features are rolling out to Pixel 6 and newer devices, aiming to enhance protection against social engineering attacks and improve overall user experience. Separately, security researchers have disclosed a critical Android vulnerability known as Pixnapping (CVE-2025-48561), which allows malicious apps to capture screenshots of sensitive information without requiring special permissions. This flaw potentially exposes passwords, one-time codes, and financial data to attackers, affecting all modern Android devices, including those running the latest versions. While Pixnapping is not yet exploited in the wild, it underscores the ongoing risks to mobile device security and the need for prompt patching by Google.
Mar 21, 2026