Android users are facing a serious new threat despite Google’s efforts to patch the vulnerability, according to a research report.
A paper from UC Berkeley, University of Washington, UC San Diego and Carnegie Mellon details “Pixnapping,” an attack that lets malicious apps steal sensitive screen data, including 2FA codes, emails, and location history.
Researchers say the attack exploits Android’s rendering pipeline and bypasses browser protections.
“A malicious app can force victim pixels into the rendering pipeline by opening a victim activity using intents and compute on those pixels using a stack of semi-transparent activities.
We demonstrate an end-to-end attack capable of stealthily stealing security-critical and ephemeral 2FA codes from Google Authenticator in under 30 seconds.”
Although Google attempted to patch the vulnerability on September 2nd, researchers say they’ve discovered a workaround, and the patch does not fully mitigate the attack.
The method has been successfully tested Google Pixel 6, 7, 8, 9, and Samsung Galaxy S25 phones.
However, the 2FA code recovery attack was not successful on the Galaxy due to “significant noise,” with more fine tuning required to retrieve the data.
Follow us on X, Facebook and TelegramGenerated Image: Midjourney