Think your Android phone is safe? A new security vulnerability discovered by researchers has led to putting modern Android smartphones at risk from deadly malicious cyberattacks. Dubbed ‘Pixnapping,’ the sophisticated attack allows a malicious and less-privileged app to steal highly sensitive information displayed on a user’s screen. Note that the ‘stealable’ information included two-factor authentication (2FA) codes, private messages, and location timelines.
The security flaw, tracked as CVE-2025-48561, is claimed to affect all modern Android handsets, posing a severe risk even to high-end and recently launched devices like the Google Pixel 10 and the Samsung Galaxy S25 Ultra.
The researchers, who hail from institutions including UC Berkeley, UC San Diego, Carnegie Mellon, and the University of Washington, demonstrated that the malicious apps could recover sensitive data from popular verification apps such as Google Authenticator, Signal, Gmail, Google Maps, and Venmo.
Pixnapping threat on Android: How it works
Researchers say that in the case of Google Authenticator, the Pixnapping vulnerability allows attackers to steal critical 2FA codes in under 30 seconds while remaining hidden from the user. It is said that anything visible can be compromised when a target app is open.
Pixnapping works by converting mapped pixel coordinates into recognisable alphanumeric characters or geometric shapes. The three-step process begins with the malicious app initiating calls that force a targeted app to display specific data, like a message thread or an authentication code, sending them to the Android rendering pipeline.
The second step involves the malicious app performing basic, repeated graphical operations on the individual pixels that are being processed for rendering. By running a simple binary check on the colour of targeted pixel coordinates, the app can then move to the final stage: measuring the amount of time taken at each coordinate. By combining these time measurements, the attacker can rebuild the image of the data that was sent to the rendering pipeline, one pixel at a time.
The exploit is usually successful because it does not require system-level permissions, bypassing typical Android security mechanisms.
What should Android users do?
Post the discovery, Google has issued a security patch for the vulnerability through the September Android security bulletin. The company has also committed to releasing a more comprehensive patch in the December Android security bulletin.
On the other hand, the researchers have already developed a workaround that allows Pixnapping to function even after Google’s partial patch. Google has stated that there is currently no evidence to suggest the Pixnapping attack has been exploited by malicious actors in the wild.
