"Android devices are vulnerable to a new attack that can covertly steal two-factor authentication codes, location timelines, and other private data in less than 30 seconds. The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen."
""Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping," the researchers wrote on an informational website. "Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible. If an app has secret information that is not visible (e.g., it has a secret key that is stored but never shown on the screen), that information cannot be stolen by Pixnapping.""
Pixnapping is a side-channel attack that can extract visible on-screen information such as 2FA codes, chat messages, and location timelines in under 30 seconds. The attack requires installation of a malicious Android app that requests no system permissions. The malicious app causes target apps to render sensitive information, then performs per-pixel graphical operations and maps pixel coordinates to letters, numbers, or shapes to reconstruct the content. Pixnapping has been demonstrated on Google Pixel and Samsung Galaxy S25 devices and may be adaptable to other models. Mitigations have been released, but modified versions can bypass some updates. The attack only captures data shown on screen.
Read at WIRED
Unable to calculate read time
Collection
[
|
...
]