Android Pixnapping side-channel flaw (CVE-2025-48561)
Vulnerability
Summary
Hide ▲
Show ▼
Pixnapping is a side-channel vulnerability in Android that lets a malicious app with no permissions steal pixels from apps and websites and reconstruct sensitive content. The attack has been shown against Google Pixel 6/7/8/9 and Samsung Galaxy S25 devices on Android 13 through 16, including Google Authenticator 2FA codes, Gmail emails, Signal messages, and Google Maps data, with 2FA codes recoverable in less than 30 seconds. Google tracks the issue as CVE-2025-48561 and tried to fix it in the September 2025 Android update, but researchers bypassed that mitigation; Google expects a more complete fix in the December 2025 Android security update.
Related Happenings
Bright Data iOS SDK teardown reveals unauthenticated scraping relay and VPN bypass
Technical Analysis
H score45
First: 06.06.2026 11:29
Last: 06.06.2026 11:29
Sources 1
About this happening:
Researchers **reverse-engineered Bright Data's iOS SDK** and found it can turn consumer devices into **exit nodes** for web-scraping traffic. The teardown showed the job channel h...
Bright Data iOS SDK teardown reveals unauthenticated scraping relay and VPN bypass
Technical AnalysisAbout this happening: Researchers **reverse-engineered Bright Data's iOS SDK** and found it can turn consumer devices into **exit nodes** for web-scraping traffic. The teardown showed the job channel h...
Google Gemini on Android notification-injection bypass using Fake Context Alignment
Technical Analysis
H score16
First: 03.06.2026 22:11
Last: 03.06.2026 22:11
Sources 1
About this happening:
Researchers found a **notification-based prompt-injection bypass** in **Google Gemini on Android** that could turn hostile notification text into **unauthorized assistant actions*...
Google Gemini on Android notification-injection bypass using Fake Context Alignment
Technical AnalysisAbout this happening: Researchers found a **notification-based prompt-injection bypass** in **Google Gemini on Android** that could turn hostile notification text into **unauthorized assistant actions*...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/Service
H score20
First: 03.06.2026 12:02
Last: 03.06.2026 12:02
Sources 1
About this happening:
**Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/ServiceAbout this happening: **Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical Analysis
H score16
First: 21.05.2026 23:07
Last: 21.05.2026 23:07
Sources 1
About this happening:
Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Google Cloud Platform API key revocation testing finds minutes-long post-deletion authentication
Technical AnalysisAbout this happening: Testing showed **deleted Google Cloud Platform API keys** could still authenticate for **minutes after revocation**, creating a post-deletion abuse window that weakens **incident...
Android 17 expands platform security and privacy protections
Security Tool/Service
H score15
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Timeline
-
14.10.2025 14:18 3 articles · 8mo ago
Pixnapping Android side-channel flaw disclosed
Initial DisclosureResearchers disclosed Pixnapping, a side-channel attack against Android devices from Google and Samsung that can steal 2FA codes, Google Maps timelines, and other sensitive data from victim apps such as Google Authenticator without special app permissions. The technique uses Android intents, semi-transparent activities, Android's window blur API, and a GPU side-channel to force victim pixels into the rendering pipeline and measure blur timing, and Google tracks the issue as CVE-2025-48561 with a CVSS score of 5.5. Google issued patches in the September 2025 Android Security Bulletin, but a workaround can re-enable exploitation and the related app-list bypass remains marked "won't fix."
Show sources
- New Pixnapping Android Flaw Lets Rogue Apps Steal 2FA Codes Without Permissions — thehackernews.com — 14.10.2025 14:18
- New Pixnapping Android Flaw Lets Rogue Apps Steal 2FA Codes Without Permissions — thehackernews.com — 14.10.2025 14:18
- New Android Pixnapping attack steals MFA codes pixel-by-pixel — www.bleepingcomputer.com — 14.10.2025 21:46