Android 'Pixnapping' Attack Can Capture App Data Like 2FA Codes

An anonymous reader quotes a report from The Register: Security researchers have resurrected a 12-year-old data-stealing attack on web browsers to pilfer sensitive info from Android devices. The attack, dubbed Pixnapping, has yet to be mitigated. Conceptually, it's the equivalent of a malicious Android app being able to screenshot other apps or websites. It allows a malicious Android application to access and leak information displayed in other Android apps or on websites. It can, for example, steal data displayed in apps like Google Maps, Signal, and Venmo, as well as from websites like Gmail (mail.google.com). It can even steal 2FA codes from Google Authenticator.

'First, the malicious app opens the target app (e.g., Google Authenticator), submitting its pixels for rendering,' explained [Alan Wang, a PhD candidate at UC Berkeley]. 'Second, the malicious app picks the coordinates of a target pixel whose color it wants to steal. Suppose for example it wants to steal a pixel that is part of the screen region where a 2FA character is known to be rendered by Google Authenticator, and that this pixel is either white (if nothing was rendered there) or non-white (if part of a 2FA digit was rendered there). Third, the malicious app causes some graphical operations whose rendering time is long if the target pixel is non-white and short if it is white. The malicious app does this by opening some malicious activities (i.e., windows) in front of the target app. Finally, the malicious app measures the rendering time per frame of the above graphical operations to determine whether the target pixel was white or non-white. These last few steps are repeated for as many pixels as needed to run OCR over the recovered pixels and guess the original content.'

The researchers have demonstrated Pixnapping on five devices running Android versions 13 to 16 (up until build id BP3A.250905.014): Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and Samsung Galaxy S25. Android 16 is the latest operating system version. Other Android devices have not been tested, but the mechanism that allows the attack to work is typically available. A malicious Android app implementing Pixnapping would not require any special permissions in its manifest file, the authors say. The researchers detail the attack in a paper (PDF) titled 'Pixnapping: Bringing Pixel Stealing out of the Stone Age.'

Read more of this story at Slashdot.