Pixnapping Attack

Summary

Pixnapping is a new class of attacks that allows a malicious Android app to stealthily leak information displayed by other Android apps or arbitrary websites. Pixnapping exploits Android APIs and a hardware side channel that affects nearly all modern Android devices. We have demonstrated Pixnapping attacks on Google and Samsung phones and end-to-end recovery of sensitive data from websites including Gmail and Google Accounts and apps including Signal, Google Authenticator, Venmo, and Google Maps. Notably, our attack against Google Authenticator allows any malicious app to steal 2FA codes in under 30 seconds while hiding the attack from the user. Demo video Your browser does not support the video tag. Research paper The Pixnapping paper will appear in the 32nd ACM Conference on Computer and Communications Security (Taipei, Taiwan; October 13-17, 2025) with the following title: Pixnapping: Bringing Pixel Stealing out of the Stone Age You can download a preprint of the paper and cite it via this BibTeX citation. The paper is the result of a collaboration between the following researchers: Questions and answers What devices are affected? We instantiated Pixnapping on five devices running Android versions 13 to 16 (up until build id BP3A.250905.014): Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and Samsung Galaxy S25. We have not confirmed if Android devices from other vendors are affected by Pixnapping. However, the core mechanisms enabling the attack are typically available in all Android devices. What are the attack requirements? Any running Android app can mount this attack, even if it does not have any Android permissions (i.e., no permissions are specified in its manifest file). What information does the attack steal? Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping. Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible. If an app has secret information t...