Pixnapping Attack Steals 2FA Codes in Under 30 Seconds

A group of cybersecurity researchers has revealed a new class of side-channel attack called Pixnapping, capable of stealing sensitive visual data directly from your Android device’s screen—including 2FA codes from Google Authenticator—in less than 30 seconds.

What makes this attack alarming is that it doesn’t require special permissions, root access, or even direct user interaction. It silently intercepts screen-rendered information from legitimate apps without leaving visible traces.

At TecnetOne, we break down how Pixnapping works, which devices are vulnerable, and how to defend yourself from this unprecedented threat.

What Is Pixnapping?

Pixnapping is a side-channel attack targeting Android devices, exploiting visual data displayed on-screen instead of traditional vulnerabilities or password breaches.

It can extract:

1. 2FA codes from apps like Google Authenticator

1. Private messages from apps like Signal

1. Banking or transfer info from apps like Venmo

1. Emails and alerts from Gmail

1. Real-time location from Google Maps

Presented at ACM CCS 2025, the researchers demonstrated that Pixnapping can recover visual data in under 30 seconds without elevated privileges, using only the phone’s GPU and intent system.

You might also be interested in: New Android Malware Disguises Itself as Russian FSB Antivirus

How the Pixnapping Attack Works

Pixnapping exploits a combination of Android UI architecture and GPU compression behavior.

Here’s how it works:

1. Malicious app launch
   A seemingly innocent app (e.g., calculator or wallpaper app) uses Android “intents” to launch a target app like Google Authenticator.

1. Transparent overlay placement
   It places blurred, transparent overlays using SurfaceFlinger, Android’s screen compositor, to create a visual layer above the target app.

1. GPU compression side-channel
   The Mali GPU, used in Google Pixel and Samsung phones, compresses uniform (white) pixels faster than colored ones.
   By measuring compression/rendering delays, attackers infer pixel colors and reconstruct the screen image.

1. Sensitive data extraction
   Using a lightweight OCR model, the malware extracts 2FA codes by analyzing just 4 pixels per digit, fast enough to grab the code before it refreshes.

Pixel stealing framework (Source: Cyber Security Nwes)

Devices and Android Versions Affected

Pixnapping has been tested on modern Android devices, especially those using Mali GPUs:

1. Google Pixel 6, 7, 8, 9

1. Samsung Galaxy S25

1. Android versions 13 through 16

Out of nearly 100,000 Android apps analyzed, 96,783 had at least one exported activity exploitable via intents.

Even web apps and browsers are at risk: 99.3% of the most-visited websites are susceptible due to iframe and overlay weaknesses.

Why Pixnapping Is So Dangerous

This attack is uniquely stealthy:

1. No permissions or root access required

1. Leaves no visual trace on-screen

1. Runs silently in background while you use your phone

It even bypasses security features of apps like Signal, which block screenshots, by directly reading pixel data from the GPU—not the screen itself.

Google’s Response and How to Protect Yourself

Google has classified Pixnapping as high severity (CVE-2025-48561) and released a security patch for Pixel devices in September 2025.

However, Samsung has downplayed the issue, calling it low severity—a position many security researchers disagree with due to how replicable and dangerous the method is.

TecnetOne recommends the following steps:

1. Update your device
   Install the September 2025 patch or latest available updates.

1. Avoid sideloaded apps
   Even without permissions, malicious apps often hide outside the Play Store.

1. Manage overlay permissions
   Go to Settings > Special App Access > Display Over Other Apps and revoke access from suspicious apps.

1. Use secure 2FA tools
   Adopt hardware keys (like YubiKey) or secure mobile authenticators such as Acronis Cyber Protect Mobile, recommended for enterprise use.

1. Watch for unusual behavior
   A sudden battery drain or lag may indicate GPU-intensive background activity like Pixnapping.

What Pixnapping Reveals About Android

Beyond the specific vulnerability, Pixnapping highlights a broader architectural weakness in Android:

1. The layered UI system and GPU compositing—ideal for multitasking—create unintended data leakage paths.

1. Transparent overlays, combined with GPU compression behavior, expose sensitive screen content without direct access.

Researchers suggest browser-style mitigations such as:

1. Restricting transparent overlays (like web frame-ancestor policies)

1. GPU-level isolation for secure apps

Learn more: How to Detect and Remove Spyware Apps on Android

What Enterprises Should Do

For companies managing Android device fleets, Pixnapping presents a major security challenge.

TecnetOne recommends enterprise-level actions:

1. Use Mobile Device Management (MDM) to restrict app installation

1. Disable overlays and accessibility services on work devices

1. Audit internal apps for exported activities or overlay vulnerabilities

1. Deploy endpoint protection solutions like Acronis Cyber Protect Cloud with mobile threat monitoring

Conclusion

Pixnapping proves that attackers no longer need malware or password cracking to steal your data—reading pixels is enough.

This attack is silent, fast, and hard to detect—making it a perfect tool for targeted 2FA theft, identity fraud, and more.

At TecnetOne, we remind you: proactive security is the only real defense.

Keep your systems patched, apps vetted, and screen behavior monitored. In today’s threat landscape, your phone screen could be the next open window for attackers.