Pixel Stealing “Pixnapping”: A new exploit on Android

Introduction

Android devices are vulnerable to a new attack that can covertly steal two-factor authentication codes, location timelines, and other private data in less than 30 seconds. Pixel-stealing ideas date back to 2013, which was fixed, but a group of researchers recently found new tricks for extracting sensitive data by measuring how specific pixels behave and reported it.

In this research paper, Alan Wang et al explains everything and the experiment they carried out. The researchers tested their framework on modern Google Pixel phones (6, 7, 8, 9) and a Samsung Galaxy S25 and succeeded in stealing secrets from both browsers and non-browser apps. They disclosed the findings to Google and Samsung in early 2025. As of October 2025, Google has patched part of the vulnerability, but some workarounds remain, and both companies are still working on a full fix by December. Other Android devices may also be vulnerable. CVE-2025-4856 is assigned to track this security flaw.

How it works

Pixnapping attacks begin with the malicious app invoking Android programming interfaces that cause the authenticator or other targeted apps to send sensitive information to the device screen. The malicious app then runs graphical operations on individual pixels of interest to the attacker. Pixnapping then exploits a side channel that allows the malicious app to map the pixels at those coordinates to letters, numbers, or shapes.

Precautions

• Update regularly: Make sure your device and apps have the latest security updates.
• Be cautious when installing apps: Only install apps from trusted sources like Google Play and check reviews and permissions before installing. Avoid sideloading unknown APKs and ask yourself if the permissions an app asks for are really needed for what you want it to do.
• Review permissions: Android improved its permission system, but check regularly what apps can do, and don’t hesitate to remove permissions of the ones you don’t use often.
• Use app screenshots wisely: Don’t store or display sensitive info (like codes, addresses, or logins) in apps unless needed, and close apps after use.
• Enable Play Protect: Keep Play Protect active to help spot malicious apps before they’re installed.
• Antimalware: Use up-to-date real-time anti-malware protection on your Android device, preferably with a web protection module.

Keywords

• Primary: Pixnapping, Android exploit, CVE-2025-4856
• Secondary: pixel stealing attack, Android vulnerability, Google Pixel security, Samsung Galaxy exploit, Android malware, 2FA theft, side-channel attack, data privacy