Pixnapping: The stealthy attack that captures what you see on Android

A team of researchers has revealed Pixnappinga whirlpool bath, Attack technique against Android phones capable of capturing what is displayed on the screen and extracting private data such as 2FA codes, messages or locations in a matter of seconds and without requesting permission.

The key is to abuse certain system APIs and a GPU side channel to deduce the content of the pixels you see; the process is invisible and effective as long as the information remains visible, while Secrets not shown on screen cannot be stolen. Google has introduced mitigations associated with CVE-2025-48561, but the authors of the discovery have demonstrated evasion pathways, and further reinforcement is expected in the December Android security bulletin.

What is Pixnapping and why is it a concern?

Name combines “pixel” and “kidnapping” because the attack literally makes a “pixel hijacking” to reconstruct information that appears in other apps. It's an evolution of side-channel techniques used years ago in browsers, now adapted to the modern Android ecosystem with smoother, quieter execution.

Since it does not require special permits, Pixnapping avoids defenses based on the permission model and operates almost invisibly, which increases the risk for users and companies that rely part of their security on what appears fleetingly on the screen.

How the attack is executed

In general terms, the malicious app orchestrates a overlapping activities and synchronizes rendering to isolate specific areas of the interface where sensitive data is displayed; then exploits the timing difference when processing pixels to infer their value (see how Power profiles affect FPS).

• Causes the target app to display the data (for example, a 2FA code or sensitive text).
• Hides everything except the area of ​​interest and manipulates the rendering frame so that one pixel “dominates.”
• Interprets GPU processing times (e.g. GPU.zip type phenomenon) and reconstructs the content.

With repetition and synchronization, the malware deduces characters and reassembles them using OCR techniquesThe time window limits the attack, but if the data remains visible for a few seconds, recovery is possible.

Scope and affected devices

The academics verified the technique in Google Pixel 6, 7, 8 and 9 and in the Samsung Galaxy S25, with Android versions 13 through 16. Since the exploited APIs are widely available, they warn that “almost all modern Androids” could be susceptible.

In tests with TOTP codes, the attack recovered the entire code with rates of approximately 73%, 53%, 29% and 53% on Pixel 6, 7, 8 and 9, respectively, and in average times close to 14,3s; 25,8s; 24,9s and 25,3s, allowing you to get ahead of the expiration of temporary codes.

What data can fall

In addition to authentication codes (Google Authenticator), researchers showed recovery of information from services such as Gmail and Google accounts, messaging apps such as Signal, financial platforms such as Venmo or location data from Google Maps, among others.

They also alert you about data that remains on the screen for longer periods of time, such as wallet recovery phrases or one-time keys; however, stored but not visible elements (e.g., a secret key that is never shown) are beyond the scope of Pixnapping.

Google Response and Patch Status

The finding was communicated in advance to Google, which labeled the issue as high severity and published an initial mitigation associated with CVE-2025-48561However, researchers found methods to evade it, so An additional patch has been promised in the December newsletter and coordination with Google and Samsung is maintained.

The current situation suggests that a definitive block will require a review of how Android handles rendering and overlays between applications, since the attack exploits precisely those internal mechanisms.

Recommended mitigation measures

For end users, it is advisable to reduce the exposure of sensitive data on screen and opt for phishing-resistant authentication and side channels, such as FIDO2/WebAuthn with security keys, avoiding reliance exclusively on TOTP codes whenever possible.

• Keep device up to date and apply security bulletins as soon as they become available.
• Avoid installing apps from unverified sources and review permissions and anomalous behavior.
• Do not keep recovery phrases or credentials visible; prefer hardware wallets to guard keys.
• Lock the screen quickly and limit previews of sensitive content.

For product and development teams, it's time to review authentication flows and reduce exposure surface: minimize secret text on screen, introduce additional protections in critical views and evaluate the transition to code-free methods hardware-based.

Although the attack requires the information to be visible, its ability to operate without permission and in less than half a minute makes it a serious threat: a side-channel technique that takes advantage of the GPU rendering times to read what you see on screen, with partial mitigations today and a deeper fix pending.

Related article:

Galaxy S26 Ultra: This is what the new privacy screen will look like

Alberto navarro

I am a technology enthusiast who has turned his "geek" interests into a profession. I have spent more than 10 years of my life using cutting-edge technology and tinkering with all kinds of programs out of pure curiosity. Now I have specialized in computer technology and video games. This is because for more than 5 years I have been writing for various websites on technology and video games, creating articles that seek to give you the information you need in a language that is understandable to everyone.

If you have any questions, my knowledge ranges from everything related to the Windows operating system as well as Android for mobile phones. And my commitment is to you, I am always willing to spend a few minutes and help you resolve any questions you may have in this internet world.