Researchers have described a new Pixnapping attack. All it takes is installing a malicious application that doesn’t ask for any permissions, not even access to screen recording, camera, or microphone. Then, based on the pixel rendering time, it «reads» everything that’s currently visible on the display: two-factor authentication codes, chat messages, emails, and geolocation.
Researchers have described a new Pixnapping attack. All it takes is installing a malicious application that doesn’t ask for any permissions, not even access to screen recording, camera, or microphone. Then, based on the pixel rendering time, it «reads» everything that’s currently visible on the display: two-factor authentication codes, chat messages, emails, and geolocation.
According to Ars Technica, Pixnapping works by a simple logic: a malicious application forces the desired program to display sensitive data on the screen, covers it with a «transparent» window and measures how long it takes the phone to draw individual dots of the image. By the delay, you can understand what color it is, and then put the picture together and read the numbers or text. It’s like a slow «screenshot» that other programs should not be allowed to access.
The team tested the attack on Google Pixel and Samsung Galaxy S25 smartphones. On Pixel 6, 7, 8, and 9, they were able to recover 6-digit Google Authenticator codes in a significant proportion of attempts, typically in 14–26 seconds, which is within the 30-second validity of a one-time password. On Galaxy S25, the attack failed the first time due to «noise,» but the researchers believe that further refinement will yield results.
Google partially closed the vulnerability in a September security bulletin and is preparing another patch in December. The company says there are no signs of real exploits yet, but the authors of the work demonstrate variants that bypass the first fix. An important detail: Pixnapping does not steal «invisible» secrets (such as keys in memory). It only reads what is actually displayed on the screen at that moment.
What the user should do. Install applications only from the official store, do not install «useful utilities» from unknown sites, update Android and system components, enable screen lock, and do not open the code from Authenticator next to suspicious applications. For important accounts, it is worth additionally activating backup security keys.
Pixnapping is related to last year’s GPU.zip technique, which also read images through time leaks during graphics processing. At that time, browsers limited the problematic scenarios, and hardware manufacturers did not release patches. The current work again shows the limits of the promise of «one program does not see another»: if the data is on the screen, leaks are possible. The practical risk is still low, the attack is not easy to implement en masse, but it reminds us: the best defense is attentiveness to application sources and timely updates.
Previously, dev.ua wrote about how Google is implementing a new security feature in Android 16 that will warn users if their smartphone is using a fake or unsecured mobile network or if such a network is trying to obtain their identification data.
