Through a new technique, malicious actors can reconstruct screens based on pixels to obtain sensitive information such as 2FA codes.
Researchers have discovered a new attack on Android that allows malicious actors to steal two-factor authentication codes, chat messages, and other screen information within thirty seconds. The attack is called Pixnapping and exploits a vulnerability in how Android renders graphics.
App without Permissions, yet Dangerous
Pixnapping only requires the victim to install an infected app. This app doesn’t need additional system permissions, but can still ‘read’ pixels from other apps through subtle measurement errors in the graphics processor. For example, it can reconstruct numbers from the Google Authenticator app or parts of messages from a chat window.
The attack works by measuring how long it takes to render certain pixels. These timing differences reveal the color of the pixel and make it possible to reconstruct the content frame by frame. In tests, researchers succeeded in deciphering complete 2FA codes on Pixel phones, sometimes in less than 25 seconds.
Google Working on Patch
Google has partially patched the vulnerability (CVE-2025-48561) in the September patch and is releasing an additional update in December, Google tells Ars Technica. Currently, there is no evidence that the attack has been exploited, but experts recommend installing updates immediately and avoiding unknown apps.