Researchers demonstrated Pixapping attacks on high-end smartphones such as the Google Pixel 10 and the Samsung Galaxy S25 Ultra.
The vulnerability is claimed to affect all modern Android handsets
Photo Credit: Unsplash/ Daniel Romero
Android devices are susceptible to a new type of attack that can acquire two-factor authentication (2FA) codes, private messages, location timelines, and other personal information. Security researchers have devised a new attack that demonstrates the vulnerability, dubbed Pixnapping, It can exploit loopholes and security flaws in Google's Android operating system, without requiring any system permissions. As per a report, the malicious application can convert mapped pixel coordinates into alphanumeric characters or geometric shapes by exploiting a side channel.
A team of researchers from UC Berkeley, UC San Diego, Carnegie Mellon, and the University of Washington discovered the security flaw, which they call Pixnapping. It allows a malicious app to secretly leak information that is displayed by arbitrary websites or Android apps. The attack relies on Android APIs and a hardware side channel, which is claimed to affect all modern Android handsets. The vulnerability can be tracked under CVE-2025-48561 in the Common Vulnerabilities and Exposures (CVE) system.
The researchers demonstrated Pixapping attacks on high-end smartphones such as the Google Pixel 10 and the Samsung Galaxy S25 Ultra, where they recovered end-to-end protected sensitive data from Gmail and Google accounts using the attack.
Apart from this, it can also recover data from other apps such as Google Authenticator, Google Maps, Signal, and Venmo. In the case of Google Authenticator, specifically, Pixnapping can allow any malicious app to steal 2FA codes in under 30 seconds, while staying hidden from the user.
“Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping,” researchers told ArsTechnica in a statement.
The researchers revealed a three-step approach to using Pixnapping on an Android smartphone.
Step 1: The malicious app calls on Android APIs that make contact with the app that is supposed to be snooped on. As per researchers, these calls can also be used to scan an infected device for installed apps or cause the targeted app to display specific data it has access to.
For example, it can reportedly force an app to display a message thread in a messaging app or find a 2FA code from a specific website. The report states that when an app is called upon, it sends information to the Android rendering pipeline, taking each app's pixels so that they can be rendered on the screen. It can include activities, intents, and tasks, researchers said.
Step 2: The second step of the attack involves performing graphical operations on individual pixels that the targeted app has sent towards the rendering pipeline. As per researchers, the operations can choose the coordinates of the targeted pixels that the app wants to steal.
It then runs a basic but repeated test on the colour of the pixels at those coordinates. Instead of determining the exact colour, the attack involves the use of a simple binary check.
Step 3: The third and final step of the Pixnapping attack is said to measure the amount of time required at each coordinate. The attack can rebuild the images that have been sent to the rendering pipeline one pixel at a time by combining the times for each one of them.
As per the report, the amount of time required to perform the attack varies based on several variables, such as the number of coordinates that need to be measured.
Google says it has partially patched the Android software to prevent Pixnapping. “We issued a patch for CVE-2025-48561 in the September Android security bulletin, which partially mitigates this behaviour,” the company wrote in an email to the publication.
Further, it will also issue an additional patch for this vulnerability with the December Android security bulletin. Researchers say they have discovered a workaround to make Pixnapping work despite the patch. However, Google reportedly said that there is no evidence of it being exploited in the wild.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.