Researchers uncover “Pixnapping,” a new class of Android attacks that can steal on-screen data in seconds

Michael Cunningham

Oct 13, 2025

Decorative image featuring a headshot photo of Riccardo Paccagnella and the CyLab logo

A team of researchers featuring Riccardo Paccagnella, assistant professor in Carnegie Mellon University’s Software and Societal Systems Department (S3D), has uncovered a new class of Android attacks that can stealthily steal sensitive information displayed by other apps or even websites.

The attack, dubbed “Pixnapping,” exploits both Android operating system features and a hardware side channel to extract on-screen data — such as two-factor authentication (2FA) codes, private messages, and financial information — without users ever realizing their data has been compromised. The research will be presented at this week’s ACM Conference on Computer and Communications Security (CCS 2025) in Taipei, Taiwan.

Pixnapping allows a malicious Android app to “snap” pixels from other apps or websites by exploiting Android APIs and a GPU hardware side channel known as “GPU.zip,” which leaks information about how the graphics hardware processes visual data. The researchers demonstrated successful attacks on modern Google and Samsung phones, including the Pixel 6 through Pixel 9 and the Galaxy S25, running Android versions 13 through 16.

In proof-of-concept tests, Pixnapping was able to recover sensitive information from widely used apps and websites such as Signal, Venmo, Google Authenticator, Gmail, Google Maps, and Google Accounts. Most strikingly, a malicious app could steal 2FA codes from Google Authenticator in less than 30 seconds, all without requiring any Android permissions or displaying suspicious activity to the user.

“Conceptually, it is as if any app could take a screenshot of other apps or websites without permission, which is a fundamental violation of Android’s security model,” said Paccagnella.

In February, the research team disclosed its findings to Google, who rated Pixnapping as a  “High Severity” vulnerability and began tracking it under CVE-2025-48561 in the Common Vulnerabilities and Exposures (CVE) system. Google attempted to mitigate the issue by restricting access to certain APIs, but the research team later discovered a workaround that restored the attack’s effectiveness. As of October 13, 2025, Android remains vulnerable.

“Fixing Pixnapping will likely require changes to core Android mechanisms, for example, by allowing apps to prevent other apps from drawing over their sensitive content,” said Paccagnella.

He warns that because the core mechanisms used by Pixnapping are typically available in all Android devices, the vulnerability likely affects a wide range of smartphones across manufacturers.

To prevent Pixnapping, the researchers recommend that users keep their Android devices updated with the latest patches as soon as they are released.

The team plans to release Pixnapping’s source code once effective patches are available, to support further academic research and industry defenses. You can get the latest updates and information on the project via its website.