Researchers have discovered a new Android attack called “Pixnapping” that can secretly steal sensitive on-screen data, including two-factor authentication (2FA) codes, private messages, and financial information.
Developed by a team at Carnegie Mellon University, the attack exploits Android APIs and a GPU hardware side channel known as GPU.zip to capture pixels from other apps. In tests, a malicious app stole a 2FA code from Google Authenticator in under 30 seconds without permissions or visible signs.
The flaw affects recent Google and Samsung phones, including the Pixel 6–9 and Galaxy S25, running Android 13 to 16. Research lead Riccardo Paccagnella described it as “a fundamental violation of Android’s security model.” Google has logged the issue as CVE-2025-48561 and issued partial fixes, though researchers say Android remains vulnerable.
Experts advise users and businesses to keep devices updated, avoid untrusted apps, and limit the display of sensitive data until a full patch is released.