Android security flaw lets hackers steal 2FA codes and chats

Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.

Android phones have a new kind of heartburn: an academic team has revealed a cheeky new attack called Pixnapping. 

This hack can nick whatever’s visible on your screen, think two-factor codes, chat threads, or location timelines, in under 30 seconds. 

The setup reads like low-effort sorcery: a seemingly harmless app (no special permissions required) nudges a target app to render secret content, then probes the phone’s rendering pipeline pixel by pixel to figure out whether each spot is lit. 

Put enough of those “is it on?” answers together, and you can reassemble numbers and letters without ever taking a real screenshot.

Researchers proved the trick on Google Pixel phones and Samsung’s Galaxy S25, and say the technique could be tuned for other models. (Via: Ars Technica)

Pixnapping exploits a timing side channel, the same family of GPU weirdness that powered the old GPU.zip web attacks, where the GPU’s tiny timing differences reveal how long it takes to draw particular graphics. 

By drawing transparent overlays and measuring frame-render times at specific coordinates, the malicious app can infer pixel colors and reconstruct the visible image.

The attack happens in three acts: first, the rogue app invokes the victim app to render the sensitive screen (say, a Google Authenticator code). 

Second, it draws over the content and issues graphic operations aimed at particular pixels. Third, it times rendering delays and stitches the results into readable characters. 

It’s slow and fiddly, which matters: 2FA codes are only valid for 30 seconds, so timing is everything. 

The team reported varied success across phones, often cracking codes on Pixels in well under 30 seconds, while the S25 produced noisier results.

Google says it shipped a September patch (CVE-2025-48561) and plans more fixes, and hasn’t seen in-the-wild attacks so far. 

Pixnapping is a neat academic demonstration and a reminder that “what’s on your screen” is not always private. 

It’s both an applause line for research-savvy engineers and a practical nudge: maybe treat pixels like secrets, not just pretty rectangles. 

Meanwhile, users should be cautious about unknown apps, and developers should consider stricter rendering isolation and platform-level timing mitigations going forward, urgently too.