
Pixnapping Attack Can Steal 2FA Codes from Android Phones in Seconds
Android users are facing a new security threat that can silently steal private data, including two-factor authentication (2FA) codes. The attack, called Pixnapping, allows hackers to capture what’s displayed on a device screen without asking for any permissions.
Developed by a team of academic researchers, Pixnapping can extract 2FA codes, chat messages, and emails from Android phones — all in under 30 seconds. The researchers tested the attack on Google Pixel and Samsung Galaxy S25 devices, proving that it can bypass standard Android security barriers.
How Pixnapping Works
Pixnapping starts with a malicious app that looks harmless and doesn’t request any special permissions. Once installed, the app uses Android’s own system functions to trigger visual content from other apps — such as an authenticator showing a 2FA code or a messaging app displaying private chats.
The app then analyses individual pixels on the screen using a technique known as a side-channel attack. By measuring how long each pixel takes to render, it can determine whether a pixel is white, colored, or part of a number or letter. In simple terms, it’s like the app is taking a screenshot without actually doing so.
Similar to GPU.zip Attacks
Pixnapping builds upon a previous vulnerability known as GPU.zip, discovered in 2023. GPU.zip showed that graphics processors (GPUs) could leak visual data such as usernames and passwords through timing patterns.
Pixnapping exploits the same weakness, this time on Android devices. It measures frame rendering time to reconstruct what appears on the screen. That means anything visible — from a 2FA code to a message notification — can potentially be stolen.
Google’s Response and Security Patch
Google acknowledged the vulnerability and released a partial patch in its September 2025 Android security update (CVE-2025-48561). However, researchers found that a modified version of Pixnapping still works on patched devices. Google says it will release another fix in December and that there’s no evidence of real-world exploitation so far.
The researchers noted that while Pixnapping is complex to execute, it exposes the limitations of Android’s app isolation system, which promises that one app cannot read another’s data.
What Users Should Know
For now, experts recommend avoiding apps from unknown sources and downloading only from trusted stores like Google Play. Since Pixnapping requires users to install a malicious app first, careful installation habits can prevent attacks.
Users should also keep their Android phones updated and enable Google Play Protect. Though Pixnapping remains a research-level exploit, its discovery shows that even permissionless apps can pose major risks if attackers find new ways to exploit GPU behavior.