What happened: Security researchers have RELAUNCH a 12-year-old browser-based data theft technique to target Android devices, creating a powerful new attack called Pixnapping.
- The method allows a malicious Android app to steal data displayed on other apps or websites, including sensitive information from Google Maps, Gmail, Signal, Venmo, and even 2FA codes from Google Authenticator, without requiring special permissions.
- Pixnapping works by leveraging a hardware side channel (GPU.zip) to read data from screen pixels via rendering time measurements. By overlaying transparent activities and timing how quickly pixels render, attackers can reconstruct screen content pixel by pixel. Even though the technique only filters 0.6 to 2.1 pixels per second, this is enough to recover sensitive data such as authentication codes.
- The vulnerability, CVE-2025-48561, affects devices running Android 13 through 16 (including Pixel 6 through 9 and Galaxy S25). A partial fix was released in September 2025, and a more comprehensive fix is expected in December.
Why is this important: Pixnapping reveals a fundamental flaw in Android’s rendering and GPU architecture, demonstrating that even long-resolved attacks can resurface in new forms.
- Because it does not require special permissions, a seemingly harmless app downloaded from the Google Play Store could secretly spy on sensitive data on the screen.
- The attack also highlights a broader problem with side-channel vulnerabilities: leaks caused not by software bugs but by the way the hardware processes data.
- These issues are notoriously difficult to detect and remediate, posing ongoing challenges for mobile security.
Why should I care: If you’re using Android, this research highlights the potential for covert data theft without any user action or warning.
- Apps can silently collect sensitive information like banking information, 2FA codes, or location data simply by observing your screen activity.
- Even though Google says there is no evidence of exploitation, the mere existence of this attack shows that malware could bypass traditional security defenses.
What’s next: Google is rolling out other fixes to limit Blur API abuse and improve detection. However, researchers warn that workarounds already exist and the underlying GPU.zip vulnerability remains unresolved. Until a permanent solution is found, users should limit the installation of untrusted apps and keep devices updated. Security experts also expect more side-channel attacks, like Pixnapping, to emerge as attackers perfect these sophisticated techniques.
