STEALING CODES ONE PIXEL AT A TIME

Hackers can steal 2FA codes and private messages from Android phones

Malicious app required to make “Pixnapping” attack work requires no permissions.

Dan Goodin – Oct 13, 2025 5:36 pm | 128

Samsung's S25 phones. Credit: Samsung

Android devices are vulnerable to a new attack that can covertly steal two-factor authentication codes, location timelines, and other private data in less than 30 seconds.

The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.

Like taking a screenshot

Pixnapping attacks begin with the malicious app invoking Android programming interfaces that cause the authenticator or other targeted apps to send sensitive information to the device screen. The malicious app then runs graphical operations on individual pixels of interest to the attacker. Pixnapping then exploits a side channel that allows the malicious app to map the pixels at those coordinates to letters, numbers, or shapes.

“Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping,” the researchers wrote on an informational website. “Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible. If an app has secret information that is not visible (e.g., it has a secret key that is stored but never shown on the screen), that information cannot be stolen by Pixnapping.”

The new attack class is reminiscent of GPU.zip, a 2023 attack that allowed malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites. It worked by exploiting side channels found in GPUs from all major suppliers. The vulnerabilities that GPU.zip exploited have never been fixed. Instead, the attack was blocked in browsers by limiting their ability to open iframes, an HTML element that allows one website (in the case of GPU.zip, a malicious one) to embed the contents of a site from a different domain.

Pixnapping targets the same side channel as GPU.zip, specifically the precise amount of time it takes for a given frame to be rendered on the screen.

“This allows a malicious app to steal sensitive information displayed by other apps or arbitrary websites, pixel by pixel,” Alan Linghao Wang, lead author of the research paper “Pixnapping: Bringing Pixel Stealing out of the Stone Age,” explained in an interview. “Conceptually, it is as if the malicious app was taking a screenshot of screen contents it should not have access to. Our end-to-end attacks simply measure the rendering time per frame of the graphical operations… to determine whether the pixel was white or non-white.”

Pixnapping in three steps

The attack occurs in three main steps. In the first, the malicious app invokes Android APIs that make calls to the app the attacker wants to snoop on. These calls can also be used to effectively scan an infected device for installed apps of interest. The calls can further cause the targeted app to display specific data it has access to, such as a message thread in a messaging app or a 2FA code for a specific site. This call causes the information to be sent to the Android rendering pipeline, the system that takes each app’s pixels so they can be rendered on the screen. The Android-specific calls made include activities, intents, and tasks.

In the second step, Pixnapping performs graphical operations on individual pixels that the targeted app sent to the rendering pipeline. These operations choose the coordinates of target pixels the app wants to steal and begin to check if the color of those coordinates is white or non-white or, more generally, if the color is c or non-c (for an arbitrary color c).

“Suppose, for example, [the attacker] wants to steal a pixel that is part of the screen region where a 2FA character is known to be rendered by Google Authenticator,” Wang said. “This pixel is either white (if nothing was rendered there) or non-white (if part of a 2FA digit was rendered there). Then, conceptually, the attacker wants to cause some graphical operations whose rendering time is long if the target victim pixel is non-white and short if it is white. The malicious app does this by opening some malicious activities (i.e., windows) in front of the victim app that was opened in Step 1.”

The third step measures the amount of time required at each coordinate. By combining the times for each one, the attack can rebuild the images sent to the rendering pipeline one pixel at a time.

As Ars reader hotball put it in the comments below:

Basically the attacker renders something transparent in front of the target app, then using a timing attack exploiting the GPU’s graphical data compression to try finding out the color of the pixels. It’s not something as simple as “give me the pixels of another app showing on the screen right now.” That’s why it takes time and can be too slow to fit within the 30 seconds window of the Google Authenticator app.

In an online interview, paper co-author Ricardo Paccagnella described the attack in more detail:

Step 1: The malicious app invokes a target app to cause some sensitive visual content to be rendered.

Step 2: The malicious app uses Android APIs to “draw over” that visual content and cause a side channel (in our case, GPU.zip) to leak as a function of the color of individual pixels rendered in Step 1 (e.g., activate only if the pixel color is c).

Step 3: The malicious app monitors the side effects of Step 2 to infer, e.g., if the color of those pixels was c or not, one pixel at a time.

Steps 2 and 3 can be implemented differently depending on the side channel that the attacker wants to exploit. In our instantiations on Google and Samsung phones, we exploited the GPU.zip side channel. When using GPU.zip, measuring the rendering time per frame was sufficient to determine if the color of each pixel is c or not. Future instantiations of the attack may use other side channels where controlling memory management and accessing fine-grained timers may be necessary (see Section 3.3 of the paper). Pixnapping would still work then: the attacker would just need to change how Steps 2 and 3 are implemented.

The amount of time required to perform the attack depends on several variables, including how many coordinates need to be measured. In some cases, there’s no hard deadline for obtaining the information the attacker wants to steal. In other cases—such as stealing a 2FA code—every second counts, since each one is valid for only 30 seconds. In the paper, the researchers explained:

To meet the strict 30-second deadline for the attack, we also reduce the number of samples per target pixel to 16 (compared to the 34 or 64 used in earlier attacks) and decrease the idle time between pixel leaks from 1.5 seconds to 70 milliseconds. To ensure that the attacker has the full 30 seconds to leak the 2FA code, our implementation waits for the beginning of a new 30-second global time interval, determined using the system clock.

… We use our end-to-end attack to leak 100 different 2FA codes from Google Authenticator on each of our Google Pixel phones. Our attack correctly recovers the full 6-digit 2FA code in 73%, 53%, 29%, and 53% of the trials on the Pixel 6, 7, 8, and 9, respectively. The average time to recover each 2FA code is 14.3, 25.8, 24.9, and 25.3 seconds for the Pixel 6, Pixel 7, Pixel 8, and Pixel 9, respectively. We are unable to leak 2FA codes within 30 seconds using our implementation on the Samsung Galaxy S25 device due to significant noise. We leave further investigation of how to tune our attack to work on this device to future work.

In an email, a Google representative wrote, “We issued a patch for CVE-2025-48561 in the September Android security bulletin, which partially mitigates this behavior. We are issuing an additional patch for this vulnerability in the December Android security bulletin. We have not seen any evidence of in-the-wild exploitation.”

Pixnapping is useful research in that it demonstrates the limitations of Google’s security and privacy assurances that one installed app can’t access data belonging to another app. The challenges in implementing the attack to steal useful data in real-world scenarios, however, are likely to be significant. In an age when teenagers can steal secrets from Fortune 500 companies simply by asking nicely, the utility of more complicated and limited attacks is probably of less value.

Post updated to add details about how the attack works.

Dan Goodin Senior Security Editor

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

128 Comments

Staff Picks

hotball

I think a better question is "Why is an app's rendering pipeline accessible to other apps in Android without any system permissions?" I'd expect there to be at least some minimal isolation of app memory/processes that requires explicit OS permission request for an app to penetrate...

It's a side channel attack. Basically the attacker renders something transparent in front of the target app, then using a timing attack exploiting the GPU's graphical data compression to try finding out the color of the pixels. It's not something as simple as "give me the pixels of another app showing on the screen right now." That's why it takes time and can be too slow to fit within the 30 seconds window of the Google Authenticator app.

October 14, 2025 at 12:45 am

hotball

What I don't understand is how the malicious app can render something on top of another app without the "display over other apps" permission, which is already known to be a dangerous permission to grant in general.

My understsanding from the paper is that they use intent to launch the victim app, then SurfaceFlinger combines the windows together. By setting SurfaceControl's blur radius they can achieve this without the permission.

October 14, 2025 at 4:49 am

VividVerism

Good question.

The app doesn't have access to another app's rendering.

The app makes detailed time measurements of how long it takes to render its own graphics. Depending on what is already displayed on the screen (from the other app), individual pixels take longer to render in one color versus another. To the human eye the difference is imperceptible but it's long enough to measure statistically by an on-device process with access to precise time measurement APIs.

That's the nature of a side channel. The malicious app doesn't have direct access to what is rendered to the screen from another app. It must infer what is rendered on the screen through timing measurements (or sometimes power measurements, vibration measurements, etc. depending on the side channel).

October 14, 2025 at 2:01 pm

VividVerism

Oh boy, yet another "security researcher' trying to get that 15 min of fame with a rehash of a screenshot attack.. Yeesh!

Oh boy, yet another "edgy" poster trying to to look smart with a hot take without reading the article or making any effort whatsoever to understand the content first.

October 15, 2025 at 12:52 am

adamsc

Uhhh. Ars would beg to differ

Passkeys right now suck really hard if you have several different devices, or especially god forbid want to use multiple different browsers.

First, passkeys are a subset of FIDO-2/WebAuthn – I've been using Yubikeys for FIDO-2 across multiple devices and operating systems for almost half a decade and it's completely painless: faster than TOTP/SMS and easier to setup, and it works on mobile and desktop devices without any additional software installs required (unlike TOTP) so you can use it on locked-down devices, too.

Second, even for passkeys that article is old and not everything you mentioned is accurate in 2025. For example, if you are a Mac user who wants to use your passkey in Chrome, Edge, Firefox, and Safari that just works because they've all all shipped support for the system password store. Similarly, if you're a cross-platform user using 1Password, Bitwarden, etc. that's been fine for a while. The one remaining issue is support for the Passkey CXP protocol (which has shipped from Apple, Bitwarden, but not everyone) but that's only important for people who need cross-platform / cross-password manager support so e.g. the people who are all in on a single vendor like Apple, Google, or Microsoft or who use a single portable password manager don't need to wait for that.

It's also a relatively manageable problem since anyone implementing WebAuthn correctly allows multiple keys to be registered and so instead of being blocked, it just means that each family of password manager you use gets registered twice or, in the case of something like GitHub, you register your personal and work identities once and never think about it for years, except if you remember how it used to be slower to login but now it's fast.

I have a Yubikey but not many sites really support it. It seems like a technology that's failed to catch on.

It's caught on in sectors which care about security, and that includes most of the big tech companies – Google, Microsoft, Apple, AWS, Facebook, etc. and all of the major SSO providers support it, for example. Some less capable companies like banks haven't upgraded yet but that's largely because they tend to be very complacent about things which are not required by regulation and they can get away with that as long as people pretend that TOTP/SMS aren't routinely phished. I brought it up because we have to stop pretending those qualify as secure so the slackers feel the need to step into the current century.

As a similar comparison, remember when companies used to treat someone's social security number as an authenticator but after that was abused enough it became common to recognize that as negligence on the business's part? We need that same awareness for code-based MFA so they stop thinking of secure options like FIDO-2/WebAuthn as an extra cost and start seeing them as a way of saving money versus their insurers charging more to cover thefts involving easily-phished authentication and their auditors flagging it as a risk.

October 15, 2025 at 1:53 am