Experts from the Universities of Berkeley, Washington, San Diego, and Carnegie Mellon have published a report on a critical vulnerability in Android called Pixnapping. The attack allows malicious apps to stealthily obtain data displayed on the device’s screen, including 2FA, email, geolocation, and other confidential information.
How the Pixnapping attack works
The essence of the method is that attackers exploit features of Android’s graphic rendering to intercept pixels from active screens of other apps.
The researchers explain that a malicious app can open so-called intents—internal Android processes—and place a stack of semi-transparent activities on top of them, collecting the screen image.
‘We demonstrated a full-fledged attack capable of stealthily stealing critical data—including temporary 2FA codes from Google Authenticator—in less than 30 seconds,’ the report says.
In fact, Pixnapping allows ‘spying’ on the user in real time, and the attack does not require root access or screen recording permissions, which makes it especially dangerous.
Google’s attempt to fix the vulnerability failed
Google already tried to address the issue on September 2 by releasing a security update. However, researchers claim that the patch was not effective enough—they managed to bypass the protection using a modified attack scenario.
Tests showed that the vulnerability works on Google Pixel as well as Samsung Galaxy S25. On Samsung devices, interception of 2FA codes was less stable due to a ‘high level of noise,’ but researchers are confident that further optimization will eliminate these limitations.
Potential consequences
Pixnapping opens access not only to authentication codes but also to information displayed in messengers, email clients, and banking apps. Essentially, the attack turns any on-screen activity into a source of leakage.
The authors of the study emphasize that the threat is especially dangerous for users relying on Google Authenticator or similar apps without cloud backup for codes. When screen data is stolen, attackers can obtain temporary access codes to accounts, bypassing passwords and biometrics.
Community response and next steps
The researchers sent detailed information about the vulnerability to Google as part of the Responsible Disclosure program and recommend that the company completely rethink Android’s rendering system to eliminate the possibility of pixel interception between processes.
At the time of publication, Google had not released a new update to fix the discovered vulnerability. Users are advised to temporarily limit the installation of unknown apps and regularly update their security system.
According to experts, Pixnapping may become one of the most significant Android vulnerabilities in recent years, as it affects the very mechanism of data display, not just individual components or permissions.
Read more: Tether expands its presence in Solana with USDT0 and XAUT0 tokens via LayerZero technology
