Researchers at Carnegie Mellon University have identified a new attack method called Pixnapping that allows malicious applications to steal sensitive, on-screen data from Android devices, even without requiring any permissions. The attack has been successfully demonstrated against both Google and Samsung phones.
How Pixnapping Works
Pixnapping is a GPU side-channel attack that conceptually acts like a malicious app taking a screenshot of content it shouldn't be able to access. The attack begins when a user is tricked into installing a malicious, zero-permission app.
The malicious app then forces graphical operations on pixels within a targeted legitimate app, typically where sensitive data is displayed. The researchers use Android’s window blur API and VSync callbacks to induce these operations and measure the rendering time. The subsequent GPU side-channel attack, known as GPU.zip, is used to secretly steal the targeted pixels one at a time, all while the malicious app appears to be running in the foreground.
Successful Targets and Mitigation
During testing, researchers managed to recover sensitive data from apps and websites including Gmail, Google Accounts, Venmo, Signal, and Google Maps. The attack is particularly effective against apps with predictable layouts, such as Google Authenticator, where researchers managed to steal 2FA codes in under 30 seconds, beating the code’s expiration time. Success rates for stealing 2FA codes on Pixel devices ranged from 29% to 73%.
Google was informed of the vulnerability (CVE-2025-48561) in February 2025 and released a patch in the September Android updates. However, the researchers have already found a way to bypass this initial fix. Google is now developing an additional patch, expected to be released in December. The tech giant stated that it has not yet observed any evidence of the exploit being used in attacks on Google Play.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
