Cybersecurity researchers have identified a critical Android vulnerability known as "Pixnapping" that allows malicious apps to steal sensitive on-screen data, including cryptocurrency wallet seed phrases and two-factor authentication (2FA) codes, without requiring special permissions. The attack, discovered by a team at Carnegie Mellon University, exploits Android's application programming interfaces (APIs) to reconstruct visual content by reading pixel colors through semi-transparent overlays.
Pixnapping works by layering activities over target applications and using timing analysis of frame renders to infer the color of individual pixels. This method bypasses app isolation, enabling attackers to slowly rebuild displayed information such as recovery phrases or 6-digit 2FA codes. Tests on devices like the Google Pixel 6 through Pixel 9 and Samsung Galaxy S25, running Android 13 to 16, showed success rates of up to 73% for retrieving 2FA codes on the Pixel 6, with rates of 53% on Pixel 7, 29% on Pixel 8, and 53% on Pixel 9. The average recovery time per code ranged from 14 to 26 seconds.
Google rated the issue as high severity and issued a partial patch in September 2025, but researchers found a workaround, leading to ongoing coordination for a full fix expected in December. The vulnerability, tracked as CVE-2025-48561, was reported in February 2025, and Samsung devices remain at risk as the initial patch is ineffective. Security experts, including researcher Vladimir S, emphasize using hardware wallets to store recovery phrases offline, as they prevent exposure to screen-based attacks.
