Pixnapping is a new type of side-channel attack that targets Android devices. It’s a “pixel-stealing” framework that can covertly siphon data from both browser and non-browser apps, like Google Authenticator. The attack works by taking advantage of a hardware side-channel present in integrated GPUs and a combination of Android APIs. It’s so fast that it can steal a two-factor authentication (2FA) code in under 30 seconds. The researchers behind the discovery named the attack Pixnapping.
At its core, the Pixnapping attack weaponizes a GPU compression feature called GPU.zip, which was previously identified as a vulnerability for browser-based attacks. The researchers found that they could combine this with Android’s window blur API to leak rendering data from other apps. A malicious app, even one without special permissions, sends the pixels of a target app (containing sensitive data like a 2FA code) into the Android rendering pipeline. It then overlays semi-transparent activities to analyze and transmit the pixels, repeating this process for each pixel to steal the full image.
According to the researchers, Android is vulnerable to this attack due to three key factors. First, an app can use Android intents to send another app’s activities to the rendering pipeline. Second, a malicious app can use graphical operations like the blur function on the pixels of another app. Finally, the attack measures the color-dependent side effects of these graphical operations to determine the content of the pixels. This specific combination allows for the attack to occur.
Google has issued a patch for the vulnerability (identified as CVE-2025-48561) in its September 2025 Android Security Bulletin. The initial patch, however, only partially mitigated the issue, as researchers found a way to re-enable the attack by altering its timing. As a result, Google is preparing a second, more comprehensive patch to fully address the new attack vector in an upcoming security update. Google has stated that it has not seen any evidence of this exploit being used in the wild.
In addition to stealing sensitive data, the study also revealed that this attack can be used to bypass a security feature implemented in Android 11. Specifically, it can be used to determine if an arbitrary app is installed on the user’s device, which Android 11 and later versions are designed to prevent. This particular finding remains unpatched, with Google having marked it as “won’t fix.” The researchers suggest that a realistic solution for this type of vulnerability would be to allow sensitive apps to opt out of this behavior and to restrict the capabilities of a potential attacker.
Reference:
