Technology News
English Edition
  • Home
  • Mobiles
  • Mobiles News
  • Android Phones Susceptible to ‘Pixnapping’ Attack That Steals 2FA Codes, Messages and More, Researchers Say

Android Phones Susceptible to ‘Pixnapping’ Attack That Steals 2FA Codes, Messages and More, Researchers Say

Researchers demonstrated Pixapping attacks on high-end smartphones such as the Google Pixel 10 and the Samsung Galaxy S25 Ultra.

Written by Shaurya Tomer, Edited by David Delima | Updated: 14 October 2025 16:34 IST
Android Phones Susceptible to ‘Pixnapping’ Attack That Steals 2FA Codes, Messages and More, Researchers Say

Photo Credit: Unsplash/ Daniel Romero

The vulnerability is claimed to affect all modern Android handsets

Click Here to Add Gadgets360 As A Trusted Source As A Preferred Source On Google
Highlights
  • The attack can exploit Android APIs and a hardware side channel
  • It does not need any system permissions to work, as per researchers
  • Google issued a partial patch in the September security bulletin
Advertisement

Android devices are susceptible to a new type of attack that can acquire two-factor authentication (2FA) codes, private messages, location timelines, and other personal information. Security researchers have devised a new attack that demonstrates the vulnerability, dubbed Pixnapping, It can exploit loopholes and security flaws in Google's Android operating system, without requiring any system permissions. As per a report, the malicious application can convert mapped pixel coordinates into alphanumeric characters or geometric shapes by exploiting a side channel.

What is a Pixnapping Attack?

A team of researchers from UC Berkeley, UC San Diego, Carnegie Mellon, and the University of Washington discovered the security flaw, which they call Pixnapping. It allows a malicious app to secretly leak information that is displayed by arbitrary websites or Android apps. The attack relies on Android APIs and a hardware side channel, which is claimed to affect all modern Android handsets. The vulnerability can be tracked under CVE-2025-48561 in the Common Vulnerabilities and Exposures (CVE) system.

The researchers demonstrated Pixapping attacks on high-end smartphones such as the Google Pixel 10 and the Samsung Galaxy S25 Ultra, where they recovered end-to-end protected sensitive data from Gmail and Google accounts using the attack.

Apart from this, it can also recover data from other apps such as Google Authenticator, Google Maps, Signal, and Venmo. In the case of Google Authenticator, specifically, Pixnapping can allow any malicious app to steal 2FA codes in under 30 seconds, while staying hidden from the user.

“Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping,” researchers told ArsTechnica in a statement.

How the Pixnapping Attack Is Performed

The researchers revealed a three-step approach to using Pixnapping on an Android smartphone.

Step 1: The malicious app calls on Android APIs that make contact with the app that is supposed to be snooped on. As per researchers, these calls can also be used to scan an infected device for installed apps or cause the targeted app to display specific data it has access to.

For example, it can reportedly force an app to display a message thread in a messaging app or find a 2FA code from a specific website. The report states that when an app is called upon, it sends information to the Android rendering pipeline, taking each app's pixels so that they can be rendered on the screen. It can include activities, intents, and tasks, researchers said.

Step 2: The second step of the attack involves performing graphical operations on individual pixels that the targeted app has sent towards the rendering pipeline. As per researchers, the operations can choose the coordinates of the targeted pixels that the app wants to steal.

It then runs a basic but repeated test on the colour of the pixels at those coordinates. Instead of determining the exact colour, the attack involves the use of a simple binary check.

Step 3: The third and final step of the Pixnapping attack is said to measure the amount of time required at each coordinate. The attack can rebuild the images that have been sent to the rendering pipeline one pixel at a time by combining the times for each one of them.

As per the report, the amount of time required to perform the attack varies based on several variables, such as the number of coordinates that need to be measured.

Google says it has partially patched the Android software to prevent Pixnapping. “We issued a patch for CVE-2025-48561 in the September Android security bulletin, which partially mitigates this behaviour,” the company wrote in an email to the publication.

Further, it will also issue an additional patch for this vulnerability with the December Android security bulletin. Researchers say they have discovered a workaround to make Pixnapping work despite the patch. However, Google reportedly said that there is no evidence of it being exploited in the wild.

Google Pixel 10

Google Pixel 10

  • REVIEW
  • KEY SPECS
  • NEWS
  • Design
  • Display
  • Software
  • Performance
  • Battery Life
  • Camera
  • Value for Money
  • Good
  • Solid and premium design
  • Bright display
  • AI smart features on board
  • Decent primary camera
  • Seven years of software support
  • Bad
  • Limited to a single 256GB storage only
  • Tensor G5 is underwhelming
  • Battery life could have been better
  • Not massive upgrades compared to Pixel 9
Read detailed Google Pixel 10 review
Display 6.30-inch
Front Camera 10.5-megapixel
Rear Camera 48-megapixel + 13-megapixel + 10.8-megapixel
RAM 12GB
Storage 256GB
Battery Capacity 4970mAh
OS Android 16
Resolution 1080x242 pixels
Samsung Galaxy S25 Ultra

Samsung Galaxy S25 Ultra

  • REVIEW
  • KEY SPECS
  • NEWS
  • Design
  • Display
  • Software
  • Performance
  • Battery Life
  • Camera
  • Value for Money
  • Good
  • New design is for the better
  • Cameras deliver consistent performance
  • Good battery life
  • Excellent performance
  • Smooth UI
  • Bad
  • S-Pen is a downgrade
  • No Dolby Vision support
  • Low light camera performance is lacking
  • Slow charging
Read detailed Samsung Galaxy S25 Ultra review
Display 6.90-inch
Processor Snapdragon 8 Elite
Front Camera 12-megapixel
Rear Camera 200-megapixel + 50-megapixel + 50-megapixel + 10-megapixel
RAM 12GB, 16GB
Storage 256GB, 512GB, 1TB
Battery Capacity 5000mAh
OS Android 15
Resolution 1400x3120 pixels
Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Cybersecurity, Pixnapping, Google Authenticator, Signal, Google Maps, 2FA, Google, Data Privacy
Shaurya Tomer
Shaurya Tomer
Shaurya Tomer is a Sub Editor at Gadgets 360 with 2 years of experience across a diverse spectrum of topics. With a particular focus on smartphones, gadgets and the ever-evolving landscape of artificial intelligence (AI), he often likes to explore the industry's intricacies and innovations – whether dissecting the latest smartphone release or exploring the ethical implications of AI advancements. In his free time, he often embarks on impromptu road trips to unwind, recharge, and ...More
Income Tax Department Said to Target Over 400 Wealthy Binance Traders in Major Tax Evasion Crackdown

Related Stories

Android Phones Susceptible to ‘Pixnapping’ Attack That Steals 2FA Codes, Messages and More, Researchers Say
Comment
Facebook Gadgets360 Twitter Share Tweet Snapchat LinkedIn Reddit Comment google-newsGoogle News
Turbo Read

Advertisement

Featured
Follow Us
Latest Videos
More Videos
Tech News in Hindi
More Technology News in Hindi

Advertisement

Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. Oppo Reno 15, Reno 15 Pro Key Specifications Tipped Ahead of Launch
  2. iQOO 15 Vapour Chamber Cooling System Performance Teased Ahead of Launch
  3. iQOO Z10R 5G With Dimensity 7360-Turbo Launched After Indian Variant Debuts
  4. OnePlus 15 Battery Size, Charging Details Leaked Ahead of Imminent Launch
  5. Nothing Phone 3a Lite Tipped to Launch Soon in These Two Colourways
  6. Moto G100 (2025) Launched With Snapdragon 7s Gen 2 SoC, 7,000mAh Battery
  7. Instagram Boosts Teen Safety, Sets PG-13 Content Limits: Here Are Details
  8. Realme GT 8 Pro's Ricoh GR Camera Technology Revealed Ahead of Launch
  9. PS6 and Next Xbox Console Will Both Reportedly Launch in 2027
#Latest Stories
  1. JPMorgan Plans to Launch Crypto Asset Trading Services
  2. Nothing Phone Users Can Now Quickly 'Share' Any Content With Essential Space
  3. Samsung Patent Document Hints at 'Self-Healing' Screen for Foldable Phones: Report
  4. Nvidia DGX Spark Supercomputer With Grace Blackwell Chipset to Go on Sale Starting October 15
  5. Bhutan Migrates National ID System to Ethereum Blockchain
  6. OnePlus 15 Battery, Charging Specifications Leaked; Could Launch Soon
  7. Instagram Boosts Teen Safety, Sets PG-13 Content Limits for All New Teen Accounts
  8. Aan Paavam Pollathatu OTT Release Details: Know When and Where to Watch Tamil Movie Online
  9. Mirage to Release on OTT Platforms Soon: Everything You Need to Know About This Malayalam Crime Thriller Film
  10. How To Train Your Dragon Now Streaming on OTT: Know When and Where to Watch the Live-Action Film Online
Gadgets 360 is available in
Follow Us
Download Our Apps
App Store App Store
Available in Hindi
App Store
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.
Trending Products »
Latest Tech News »