#side-channel-attack

#side-channel-attack

The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work.

The attack works by accessing information about screen display pixels through a hardware side channel ( GPU.zip), using a technique [PDF] described by security researcher Paul Stone in 2013. Stone's work described how SVG filters could be used in a timing attack [PDF] to read the pixel values from a web page in a cross-origin iframe, a method subsequently mitigated by iframe and cross-origin cookie restrictions.

What makes this attack practical is the sensitivity of today's mice, both their high polling rate (the frequency at which they sample movement, measured in kHz), and the resolution with which they detect movement, measured in dots per inch (DPI).

The mouse sitting next to you can be turned into a microphone thanks to some cunning use of its sensors to pick up vibrations from your voice in an attack dubbed Mic-E-Mouse. Researchers at UC Irvine have found that optical mice equipped with 20,000 DPI sensors and decent latency can be used as a basic microphone with software designed to figure out speech patterns based on the vibration of the user's voice. The team used a $35 mouse to test the system and found it could capture speech with 61 percent accuracy, depending on voice frequency.