A newly discovered vulnerability in Android, dubbed 'Pixnapping,' allows malicious applications to steal sensitive data, including two-factor authentication (2FA) codes and Google Maps timelines, without requiring any special permissions. This sophisticated side-channel attack exploits Android's APIs and hardware features to capture data pixel by pixel, posing a significant threat to user security.

Key Takeaways

• Pixnapping Attack: A novel side-channel attack enabling malicious apps to steal data, including 2FA codes, from other apps.

• No Special Permissions Needed: The attack can be executed by any app, even without elevated privileges.

• Affected Devices: Primarily tested on Google and Samsung devices running Android 13-16, but the underlying methodology is present across the OS.

• Exploits Hardware and APIs: Leverages Android's window blur API and a GPU compression feature (GPU.zip) for data exfiltration.

• Bypasses Security Measures: Circumvents browser mitigations and targets non-browser apps like Google Authenticator.

• CVE Identifier: Tracked as CVE-2025-48561 with a CVSS score of 5.5.

• Patch Status: Google has issued patches, but a workaround to re-enable the attack exists, and an app list bypass remains unpatched.

The Pixnapping Framework

Researchers from several universities have detailed the 'Pixnapping' attack, which allows a malicious app to covertly capture data by manipulating the Android rendering pipeline. The technique involves forcing victim app pixels into the rendering process and then using a stack of semi-transparent Android activities to isolate, enlarge, and transmit specific pixels containing sensitive information, such as 2FA codes. This process can reportedly capture 2FA codes in under 30 seconds.

Technical Underpinnings

The attack leverages a combination of three core Android functionalities:

• The ability for an app to send another app's activities to the Android rendering pipeline via intents.

• The capability to induce graphical operations, like blur effects, on pixels displayed by other apps.

• The capacity to measure pixel color-dependent side effects of these graphical operations.

This is built upon a previously disclosed side-channel called GPU.zip, which exploits compression features in integrated GPUs. By combining this with Android's window blur API, attackers can effectively steal rendering data from victim apps.

Vulnerable Devices and Mitigation

The study specifically focused on Google and Samsung devices running Android versions 13 through 16. While the exact susceptibility of devices from other manufacturers is unclear, the fundamental mechanisms required for Pixnapping are present in all Android devices. Google has assigned the vulnerability the identifier CVE-2025-48561 and released patches as part of its September 2025 Android Security Bulletin. However, a workaround has been identified that can re-enable the attack, and Google is reportedly working on a further fix.

App List Bypass Unpatched

Beyond the direct data theft, Pixnapping also enables an attacker to determine if an arbitrary app is installed on a device. This bypasses security restrictions implemented since Android 11 that prevent querying the full list of installed applications. Google has marked this specific issue as 'won't fix,' citing the inherent nature of app layering in mobile operating systems.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• New Pixnapping Android Flaw Lets Rogue Apps Steal 2FA Codes Without Permissions, The Hacker News.