Google Pixel November Feature Drop and Android Pixnapping Vulnerability
Google has released a November feature update for Pixel phones, introducing several new capabilities focused on user security and convenience. Notably, the update adds scam detection for messages, which alerts users to potentially fraudulent communications, and notification summaries to help users manage important messages. These features are rolling out to Pixel 6 and newer devices, aiming to enhance protection against social engineering attacks and improve overall user experience.
Separately, security researchers have disclosed a critical Android vulnerability known as Pixnapping (CVE-2025-48561), which allows malicious apps to capture screenshots of sensitive information without requiring special permissions. This flaw potentially exposes passwords, one-time codes, and financial data to attackers, affecting all modern Android devices, including those running the latest versions. While Pixnapping is not yet exploited in the wild, it underscores the ongoing risks to mobile device security and the need for prompt patching by Google.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Pixnapping vulnerability in Android Pixel devices is publicly disclosed
Kaspersky publicly disclosed the 'Pixnapping' vulnerability, tracked as CVE-2025-48561, describing it as an unblockable screenshotting issue affecting Android phones. The disclosure brought technical attention to a flaw that could allow screenshots despite expected protections.
Google releases November 2025 Pixel update with security fixes
Google rolled out a Pixel software update in November 2025 that included multiple feature upgrades and security improvements for Pixel devices. The update is the common event referenced across the coverage and likely addressed the Android screenshotting issue discussed in later reporting.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Google just gave me 5 compelling reasons to update my Pixel - including this security boost
zdnet.com
Open sourceGoogle just gave Pixel users 5 compelling reasons to update their phones - here's what's new
zdnet.com
Open sourceYour Pixel phone is getting 5 free upgrades today - including a built-in scam detector
zdnet.com
Open sourcePixnapping vulnerability: unblockable screenshotting of your Android phone
kaspersky.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Pixnapping Side-Channel Attack Enables Android Apps to Steal Sensitive Data Without Permissions
A newly disclosed side-channel attack, dubbed Pixnapping, has been demonstrated by researchers from several US universities, revealing a significant security vulnerability in Android devices manufactured by Google and Samsung. The Pixnapping technique allows a malicious Android application to covertly extract sensitive on-screen data, including two-factor authentication (2FA) codes, Google Maps timelines, and information from apps such as Signal, Venmo, and Gmail, without requiring any special permissions. The attack leverages a hardware side-channel known as GPU.zip, previously disclosed by some of the same researchers, and exploits Android APIs to force victim pixels into the rendering pipeline. By stacking semi-transparent Android activities, a rogue app can compute on these pixels and reconstruct sensitive information pixel-by-pixel. The researchers successfully demonstrated the attack on Google Pixel models 6 through 9 and the Samsung Galaxy S25, all running Android versions 13 to 16. The attack is notable for its ability to bypass browser-based mitigations and to target both browser and non-browser applications, including Google Authenticator, making it possible to steal 2FA codes in under 30 seconds. The Pixnapping attack does not require the malicious app to request or obtain any special permissions, increasing the risk of exploitation if users are tricked into installing such an app. The technical complexity of the attack is high, requiring deep knowledge of Android internals and graphics hardware, but once developed, the attack could be packaged into seemingly benign apps and distributed through typical malware channels. The researchers disclosed their findings to Google and Samsung in early 2025, prompting Google to issue partial patches, though some workarounds remain and both companies are still working on comprehensive fixes. The underlying methodology of the attack suggests that other Android devices beyond those tested may also be vulnerable, as the exploited APIs and hardware features are common across the platform. The attack highlights the limitations of current Android permission models, as it enables data theft without explicit user consent or awareness. Security experts warn that this vulnerability could be leveraged by sophisticated threat actors to compromise sensitive user data at scale. The research underscores the need for both OS-level and hardware-level mitigations to address such side-channel threats. Users are advised to exercise caution when installing new apps, even from trusted sources, and to stay updated with the latest security patches from device manufacturers. The Pixnapping disclosure has prompted renewed scrutiny of Android's security architecture and the effectiveness of existing app sandboxing and permission controls. Ongoing collaboration between academic researchers and industry vendors is expected to drive further improvements in mobile device security in response to this class of attacks.
Mar 21, 2026
Pixnapping Side-Channel Attack Targets Android Devices
Researchers have identified a new side-channel attack technique, dubbed "Pixnapping," that poses significant privacy risks to Android device users. The Pixnapping attack enables malicious applications to capture on-screen pixels from other apps, allowing attackers to steal sensitive information such as one-time authentication codes, private messages, and browser content without requiring direct access to the targeted data. This method leverages weaknesses in Android's screen access controls and app overlay permissions, making it possible for a rogue app to surreptitiously observe and extract visual data from other running applications. The attack highlights the growing sophistication of side-channel threats on mobile platforms, where traditional security boundaries are bypassed through indirect data leakage. Security researchers emphasize that the prevalence of mobile devices in authentication, communication, and financial transactions amplifies the potential impact of such attacks. Organizations that have implemented stricter runtime permissions and enforced rigorous app vetting processes have demonstrated reduced exposure to these risks and improved detection times. The Pixnapping technique was featured in both dedicated security research and broader industry news coverage, underscoring its relevance and the urgency for mitigation. Security experts recommend that Android users and enterprises prioritize the hardening of screen access controls and limit the use of app overlays to trusted applications only. The attack also serves as a reminder of the need for continuous monitoring and rapid response capabilities in mobile security operations. While no widespread exploitation has been reported yet, the proof-of-concept demonstrates the feasibility of extracting highly sensitive data through visual side channels. The research community is calling for platform-level changes in Android to address these privacy gaps and prevent similar attacks in the future. Mobile security vendors are updating their threat detection models to identify suspicious overlay and screen-capturing behaviors. The Pixnapping attack is part of a broader trend of increasingly sophisticated threats targeting the mobile ecosystem. End users are advised to be cautious about granting overlay permissions and to regularly review app privileges. The incident has prompted renewed discussion about the balance between app functionality and user privacy on Android devices. Security teams are urged to stay informed about emerging side-channel techniques and to adapt their defenses accordingly.
Mar 21, 2026
Google Patches Android Zero-Day and High-Severity XR Privilege Escalation Flaws
Google has issued its June 2026 Android security updates to fix **113 vulnerabilities**, including **18 critical** flaws and a zero-day tracked as `CVE-2025-48595` that the company said may be under limited, targeted exploitation. The zero-day affects the **Android Framework** and stems from an integer overflow memory-management issue that can enable code execution and potentially full device compromise. The update also addresses vulnerabilities in third-party components from **Qualcomm, MediaTek, and Unisoc**, and Google said devices running Android 10 or later can receive relevant fixes through Google Play services, with patch levels dated **2026-06-05** or later remediating the documented issues. Google also published its June 2026 **XR Security Bulletin**, disclosing a high-severity flaw, `CVE-2026-0072`, in `InputMethodManagerService`. The bug is caused by a missing permission check in `addInputMethodListener` and can allow **local elevation of privilege** without additional execution privileges or user interaction; Google said it could also permit input text to be read without permission. The XR issue is fixed with security patch level **2026-06-01** or later, while full XR protection requires the broader Android June 2026 patch level as well, underscoring the need for enterprises to accelerate deployment of both platform and device-vendor updates.
Jun 3, 2026