A devastating new attack called Pixnapping can steal two-factor authentication codes from Android devices in under 30 seconds without requiring any system permissions. Academic researchers demonstrated the technique on Google Pixel phones and Samsung Galaxy devices, exploiting GPU rendering timing to reconstruct sensitive visual data pixel by pixel. While Google released partial mitigations in September, researchers say modified versions still work.
Android users just got hit with a sobering reality check. A team of academic researchers has unveiled Pixnapping, a sophisticated attack that can steal two-factor authentication codes, chat messages, and other sensitive data from Android devices in less than 30 seconds. The scariest part? The malicious app needed to pull this off requires zero system permissions.
The attack works on Google Pixel phones and Samsung Galaxy S25 devices, with researchers saying it could likely be adapted for other Android models with additional work. Google scrambled to release mitigations in September, but the research team says modified versions of the attack still work even with the update installed.
"Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping," the researchers wrote on their informational website. That includes chat messages, 2FA codes, email content - basically anything displayed on screen.
The technique builds on GPU.zip, a 2023 attack that allowed malicious websites to steal usernames, passwords, and other visual data by exploiting side channels in GPUs from all major suppliers. Those vulnerabilities were never actually fixed - browsers just limited iframe functionality to block the attack. Now researchers have brought the same concept to mobile.
"This allows a malicious app to steal sensitive information displayed by other apps or arbitrary websites, pixel by pixel," lead author Alan Linghao Wang explained in an interview. "Conceptually, it's as if the malicious app was taking a screenshot of screen contents it shouldn't have access to."
The attack unfolds in three precise steps. First, the malicious app invokes Android APIs that force targeted apps to display sensitive information on screen - like causing Google Authenticator to show a 2FA code for a specific site. These calls also let attackers scan for installed apps of interest.
Next, Pixnapping performs graphical operations on individual pixels that the targeted app sent to Android's rendering pipeline. The attack checks whether specific pixel coordinates are white or non-white, effectively mapping visual elements one dot at a time.
"Suppose the attacker wants to steal a pixel that's part of where a 2FA character gets rendered by Google Authenticator," Wang said. "This pixel is either white if nothing was rendered there, or non-white if part of a digit was rendered. The attacker causes graphical operations whose rendering time is long if the pixel is non-white and short if it's white."
