CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Pixnapping Android Flaw Enables 2FA Code Theft

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A side-channel attack called Pixnapping targets Android devices, enabling rogue apps to steal two-factor authentication (2FA) codes, Google Maps timelines, and other sensitive data. The flaw affects Android versions 13 to 16 on Google and Samsung devices, and potentially other OEMs. The attack exploits Android APIs and a hardware side-channel, allowing pixel-stealing without requiring special permissions. The vulnerability, tracked as CVE-2025-48561, was patched in September 2025, but a workaround exists. A more thorough patch is expected in the December 2025 Android security update. The attack can also determine if an arbitrary app is installed on the device, bypassing Android 11 restrictions. Google has marked the app list bypass as 'won't fix'.

Timeline

  1. 14.10.2025 14:18 2 articles · 10h ago

    Pixnapping Android Flaw Disclosed

    Researchers disclosed a side-channel attack named Pixnapping that targets Android devices to steal 2FA codes and other sensitive data. The attack exploits Android APIs and a hardware side-channel, allowing rogue apps to steal pixels from non-browser apps without requiring special permissions. The vulnerability affects Android versions 13 to 16 on Google and Samsung devices, and potentially other OEMs. The attack can steal sensitive data such as chat messages from secure communication apps like Signal, emails on Gmail, and two-factor authentication codes from Google Authenticator. The attack works on fully patched modern Android devices and can steal 2FA codes in less than 30 seconds. The attack leverages a 'masking activity' to isolate and enlarge pixels, using a quirk in SurfaceFlinger's blur implementation. The attack uses the GPU.zip side-channel attack to exploit graphical data compression in modern GPUs to leak visual information. The researchers demonstrated Pixnapping on Google Pixel 6, 7, 8, and 9 devices, as well as Samsung Galaxy S25, running Android versions 13 through 16. The researchers analyzed nearly 100,000 Play Store apps, finding hundreds of thousands of invocable actions through Android intents. Google patched the vulnerability in September 2025, but a workaround exists. A more thorough patch is expected in the December 2025 Android security update. Additionally, the attack can determine if an arbitrary app is installed on the device, bypassing Android 11 restrictions. Google has marked the app list bypass as 'won't fix'.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Two Android zero-day vulnerabilities exploited in targeted attacks

Google has released security updates for September 2025 to address 111 vulnerabilities in Android, including two zero-day flaws actively exploited in targeted attacks. The vulnerabilities, CVE-2025-38352 and CVE-2025-48543, allow for local privilege escalation without additional execution privileges or user interaction. The updates include two patch levels, 2025-09-01 and 2025-09-05, to provide flexibility for Android partners. The flaws affect the Linux Kernel and Android Runtime components. Google has not disclosed specific details about the attacks but has acknowledged limited, targeted exploitation. Benoît Sevens of Google's Threat Analysis Group (TAG) discovered the Linux Kernel flaw, suggesting it may have been used in targeted spyware attacks. The updates also address several other vulnerabilities, including remote code execution, privilege escalation, information disclosure, and denial-of-service issues in Framework and System components. The September 2025 update covers Android 13 through 16 and includes fixes for 27 Qualcomm components, bringing the total number of fixed flaws to 111. The September 2025 Android patches address 111 unique CVEs. The Linux kernel vulnerability (CVE-2025-38352) is a race condition related to POSIX CPU timers. The Android Runtime zero-day (CVE-2025-48543) is resolved in the 2025-09-01 security patch level. The 2025-09-05 security patch level fixes the Linux kernel bug and 51 other issues affecting various components. Google rolled out Pixel security updates resolving 23 vulnerabilities specific to Pixel devices. All vulnerabilities in the Android bulletin are resolved with updates to Wear OS, Pixel Watch, and Automotive OS.

Open in new tab