Two-factor codes are supposed to be anadditional form of defence but what if aseemingly harmless app could read them straight off your screen in under 30seconds, without requesting any permissions, That’s the threat posed by Pixnapping, a new Android side-channel attack that lets a malicious app read on-screenpixels including 2FA codes, messages, and other sensitive data without requesting any special permissions. Google has assigned CVE-2025-48561 to this flaw .
Why this matters
Pixnapping doesn’t take screenshots or ask for accessibility rights . It abuses howAndroid renders app windows and GPU timing to reconstruct pixels one at a time.That means even “permissionless” apps that look harmless can expose whatever is visible on your screen while you use another app (banking apps, authenticators,messaging, etc.).
The core danger of Pix Napping is that the attack is mounted by any installed Android app, even one with zero permissions listed in its manifest. If a user is tricked into installing a malicious, seemingly harmless app (like a flashlight or calculator), that app can immediately begin stealing sensitivedata from other, trusted applications.This expands the attack surface beyond networks and files on Android Devices .
Affected Devices
· Devices running Android 13through Android 16 (Google Pixel and Samsung Galaxy devices).
· Any app that displays sensitive, visible information is vulnerable, including Google Authenticator,Signal, Venmo, and sensitive web pages (like Gmail/Google Accounts).
How PixNapping Works
PixNapping works by combining an abuse of existing Android APIs with a hardware flaw known as a "side channel."
- Forcing the Pixels: The malicious app uses legitimate Android APIs to temporarily push the sensitive content such as the six-digit 2FA code from the Google Authenticator app onto the device’s rendering pipeline (the "conveyor belt").
- The Covert Measurement: The attacker's app stacks multiple semi-transparent activities and uses Android's window blur function. This action engages the phone's GPU (Graphics Processing Unit).
- The Side Channel Leak: The attacker measures minute timing differences in how the GPU processes these graphical operations. Because the processing time is slightly dependent on the color (brightness/pattern) of the underlying pixels, the malicious app can accurately deduce, pixel by pixel, what data is displayed beneath its own window.
- Data Reconstruction: The attacker repeats this process until the entire 2FA code is "read" and reconstructed, enabling full account compromise.
Recommendation
· Patch your device: Install the latest Android/security updates from Google and your OEM immediately.
· Uninstall unknown apps: Remove apps you don’t recognize or that came from outside trusted stores.
· Use app allow lists oncorporate devices: Block side loading and requireMDM-managed app installs.
· Monitor device telemetry: Look for apps creating many overlays, calling blur/alpha APIs, or making rapid foreground/background activity changes.
Defences for Organizations and Developers
· Enforce Updates via MDM
Use Mobile Device Management tools to automatically deploy vendor patches and block outdated or unpatched devices from connecting to your network.
· Harden Sensitive Apps
Use FLAG_SECURE to prevent screenshots or screen recordings, limit how long sensitive data (like OTPs) stays visible, and avoid clipboard-based authentication methods.
· Detect Overlay & API Abuse
Monitor for apps that frequently use semi-transparent overlays or make excessive calls to Android’s window blur APIs ,both can signal malicious behaviour.
· Educate Users
Encourage users to download apps only from trusted sources and to be cautious with unfamiliar or newly installed apps.
.png)
.png)