Researchers from UC Berkeley, UC San Diego, the University of Washington, and Carnegie Mellon unveiled Pixnapping, a novel Android attack that steals sensitive on-screen data like one-time passcodes (OTPs), messages, and emails. Detailed in the paper Pixnapping: Bringing Pixel Stealing out of the Stone Age, the exploit bypasses browser mitigations and targets non-browser apps, marking a first in pixel-stealing exploits.
The attack requires installing a malicious, no-permission app. Once opened, it launches target apps (e.g., Google Authenticator) and extracts pixels one by one via graphical operations, measuring render times to reconstruct characters. “It’s like taking a screenshot of inaccessible content,” the researchers noted.
Google has patched 'Pixnapping' attack in Android, further fix with December security update https://t.co/bXUgajvm5E by @chaosromero
— 9to5Google (@9to5Google) October 14, 2025How Pixnapping Works
- App Installation: User downloads and opens the malicious app.
- Target Launch: App forces exported activities in victims like Authenticator.
- Pixel Extraction: Isolates pixels, waits for rendering, and infers colours (e.g., white/non-white) by frame times.
- Reconstruction: Builds data like 2FA codes in 14–30 seconds on tested devices.
Tests on Google Pixel 6–9 recovered codes under 30 seconds; Samsung Galaxy S25 took 14–26 seconds due to noise. Full screens require 10–25 hours at 0.6–2.1 pixels/second. Overlays with <1% transparency hide the attack. Pixnapping echoes 2023’s GPU.zip side-channel attacks, patched in browsers. It exploits Android’s graphics layer, evading permissions.
Google issued a partial fix in September 2025, with a full patch in December. No wild exploitation reported. Users: Install updates immediately. Developers: Hide sensitive content or restrict overlays via app access checks. Pixnapping exposes Android’s data isolation limits, risking 2FA breaches. With the growth of AI and mobile banking, such vulnerabilities demand swift patches.
