What happened: Security researchers have revived a 12-year-old browser-based data theft technique to target Android devices, creating a powerful new attack called Pixnapping.
- The method allows a malicious Android app to steal data displayed on other apps or websites — including sensitive information from Google Maps, Gmail, Signal, Venmo, and even 2FA codes from Google Authenticator — without requiring special permissions.
- Pixnapping works by exploiting a hardware side channel (GPU.zip) to read screen pixel data through rendering time measurements. By overlaying transparent activities and timing how quickly pixels render, attackers can reconstruct screen content pixel by pixel. Although the technique only leaks 0.6 to 2.1 pixels per second, it’s enough to recover sensitive data like authentication codes.
- The vulnerability, CVE-2025-48561, affects devices running Android 13 through 16 (including Pixel 6–9 and Galaxy S25). A partial patch was issued in September 2025, with a more comprehensive fix expected in December.
Why is this important: Pixnapping exposes a fundamental flaw in Android’s rendering and GPU architecture, demonstrating that even long-resolved attacks can resurface in new forms.
- Because it doesn’t require special permissions, a seemingly harmless app downloaded from the Google Play Store could secretly spy on sensitive on-screen data.
- The attack also highlights a broader problem with side-channel vulnerabilities — leaks caused not by software bugs but by how hardware processes data.
- These are notoriously difficult to detect and fix, posing ongoing challenges for mobile security.
Why should I care: If you use Android, this research underscores the potential for covert data theft without any user action or warning.
- Apps could silently harvest sensitive details like banking information, 2FA codes, or location data simply by observing your screen activity.
- Even though Google says there’s no evidence of exploitation, the mere existence of this attack shows that malware could bypass traditional security defenses.
What’s next: Google is rolling out further fixes to limit abuse of the blur API and improve detection. However, researchers warn that workarounds already exist, and the underlying GPU.zip vulnerability remains unresolved. Until a permanent solution is found, users should limit installing untrusted apps and keep devices updated. Security experts also expect more side-channel attacks like Pixnapping to emerge as attackers refine these sophisticated techniques.
