Pixnapping: How a Malicious Android App Can Steal 2FA Codes

Researchers from UC Berkeley, UC San Diego, the University of Washington, and Carnegie Mellon say they’ve developed a practical proof‑of‑concept that lets a malicious Android app infer on‑screen pixels and exfiltrate small but sensitive bits of information—including one‑time 2FA codes.

At its core, the attack exploits a side channel: instead of breaking app logic or the browser, it observes subtle physical and timing behaviors in the graphics pipeline to reconstruct pixel values. The team calls the technique Pixnapping.

While pixel‑based side channels are not new, the paper describes new ways to measure and interpret pixel behavior that bypass browser protections and reach into non‑browser apps such as Google Maps, Signal, and Venmo — and into websites including Gmail. The researchers say they were even able to retrieve temporary codes from Google Authenticator.

The experiments were carried out on recent Android hardware — Google Pixel 6, 7, 8, and 9 models and a Samsung Galaxy S25 — and, according to the paper, succeeded in extracting secrets from both browsers and native apps. The group notified Google and Samsung in early 2025; Google has issued partial mitigations as of October 2025, the researchers report, but workarounds and incomplete fixes mean some exposure may remain. The team also cautions that other Android models could be vulnerable.

Executing Pixnapping is not trivial. It requires deep, low‑level knowledge of Android internals and graphics hardware. This is not a casual “run‑and‑steal” script for inexperienced attackers. But the researchers warn that once the technique is implemented, it can be packaged inside an app that looks benign and distributed like any other Android malware. To succeed, an attacker still needs a foothold — convincing a user to install the malicious app.

How the attack works, in plain terms: the malicious app uses Android Intents (the platform’s inter‑app messaging mechanism) and stacks nearly transparent windows over the target app. By observing timing and other side‑channel signals that vary with pixel color, the app can infer pixel values. The paper notes the method is fast: in their tests, it could capture temporary 2FA tokens from Google Authenticator in under 30 seconds. Extracted data is then sent to an attacker‑controlled command‑and‑control server.

“Conceptually, it is as if any app could take a screenshot of other apps or websites without permission, which is a fundamental violation of Android’s security model,” a researcher said.

The paper’s publication is a reminder that even small leaks at the display or hardware level can produce large security consequences. Until a comprehensive platform fixes land, the simplest user defenses remain unchanged: install apps only from trusted sources, scrutinize requested permissions, and remove apps you don’t recognize.

For organizations and platform vendors, the work underscores the need to harden graphics and inter‑app interfaces against side channels, and to treat seemingly innocuous UI behavior as a potential attack surface.

How to protect yourself from Pixnapping attacks

While the technical details of Pixnapping are complex, there are practical steps you can take to keep your 2FA codes and other sensitive data safe:

1. Keep your device and apps updated: Install security updates as soon as they’re available. Google and Samsung are rolling out fixes for this vulnerability, tracked as CVE‑2025‑48561, so don’t ignore those prompts.
2. Be careful what you install: Only download apps from trusted sources like Google Play. Check reviews and permissions before installing, and avoid sideloading unknown APKs. Ask yourself if the permissions an app requests are truly necessary.
3. Review app permissions regularly: Android’s permission system has improved, but it’s wise to periodically check what apps can do. Revoke permissions for apps you rarely use or don’t trust.
4. Handle sensitive data carefully: Don’t store or display sensitive info—like 2FA codes, logins, or addresses—unnecessarily in apps. Close apps when you’re done using them.
5. Stay informed: Monitor security news and official announcements from Google and Samsung about patches or mitigations for this vulnerability, and act promptly.
6. Enable Google Play Protect: Keep Play Protect active to detect and block malicious apps before they’re installed.
7. Use up-to-date security software: Run a reputable, real-time anti-malware solution on your Android device, ideally one with web protection capabilities, to provide an extra layer of defense.

Following these steps won’t make attacks impossible, but they significantly reduce the risk of falling victim to Pixnapping or similar side-channel exploits.