"The attack has been codenamed Pixnapping by a group of academics from the University of California (Berkeley), University of Washington, University of California (San Diego), and Carnegie Mellon University. Pixnapping, at its core, is a pixel-stealing framework aimed at Android devices in a manner that bypasses browser mitigations and even siphons data from non-browser apps like Google Authenticator by taking advantage of Android APIs and a hardware side-channel, allowing a malicious app to weaponize the technique to capture 2FA codes in under 30 seconds."
"What makes the novel attack significant is that any Android app can be used to execute it, even if the application does not have any special permissions attached via its manifest file. However, the attack presupposes that the victim has been convinced by some other means to install and launch the app. The side-channel that makes Pixnapping possible is GPU.zip, which was disclosed by some of the same researchers back in September"
Pixnapping exploits Android APIs and a GPU hardware side-channel to force victim pixels into the rendering pipeline and compute on them using semi-transparent activities. The technique bypasses browser mitigations and can siphon data from non-browser apps such as Google Authenticator and Google Maps timelines. Any Android app can execute the attack without requiring special manifest permissions, though the victim must install and launch the malicious app. Testing focused on five Google and Samsung devices running Android 13–16, and the underlying methodology exists across Android devices. The hardware side-channel enabling the attack is known as GPU.zip.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]