- Pixnapping na iya satar lambobin 2FA da sauran bayanan kan allo cikin ƙasa da daƙiƙa 30 ba tare da izini ba.
- Yana aiki ta hanyar cin zarafin APIs na Android da tashar gefen GPU don tantance pixels daga wasu ƙa'idodi.
- An gwada akan Pixel 6-9 da Galaxy S25; facin farko (CVE-2025-48561) bai cika toshe shi ba.
- Ana ba da shawarar yin amfani da FIDO2/WebAuthn, rage mahimman bayanai akan allo, da guje wa ƙa'idodi daga tushe masu shakka.
Wata ƙungiyar masu bincike ta bayyana Pixnapping, a Dabarar kai hari kan wayoyin Android masu iya daukar abin da aka nuna akan allo da kuma fitar da bayanan sirri kamar lambobin 2FA, saƙonni ko wurare a cikin daƙiƙa kuma ba tare da neman izini ba.
Makullin shine cin zarafin wasu tsarin APIs da kuma a GPU gefen tashar don cire abun ciki na pixels da kuke gani; tsarin ba shi da ganuwa kuma yana da tasiri idan dai bayanan sun kasance a bayyane, yayin da Ba za a iya sace asirin da ba a nuna akan allo ba. Google ya gabatar da raguwa masu alaƙa da CVE-2025-48561, amma marubutan binciken sun nuna hanyoyin gujewa, kuma ana sa ran ƙarin ƙarfafawa a cikin sanarwar tsaro ta Android na Disamba.
Menene Pixnapping kuma me yasa yake damuwa?
Sunan ya haɗa "pixel" da "kidnapping" saboda harin a zahiri yana yin a "Pixel Hijacking" don sake gina bayanan da ke bayyana a wasu ƙa'idodin. Juyin halitta ne na dabarun tashoshi da aka yi amfani da su shekaru da suka gabata a cikin masu bincike, yanzu sun dace da yanayin yanayin Android na zamani tare da sassauƙa, aiwatar da shuru.
Tunda ba ya buƙatar izini na musamman, Pixnapping yana nisantar kariya dangane da samfurin izini da yana aiki kusan ganuwa, wanda ke ƙara haɗari ga masu amfani da kamfanoni waɗanda suka dogara da wani ɓangare na tsaro akan abin da ya bayyana a kan allo.
Yadda ake aiwatar da harin
A cikin sharuddan gabaɗaya, ƙaƙƙarfan ƙa'idar tana shirya a ayyukan da suka yi karo da juna kuma yana aiki tare da yin aiki don keɓance takamaiman wurare na mahaɗin inda aka nuna mahimman bayanai; sannan yana amfani da bambance-bambancen lokaci lokacin sarrafa pixels don tantance ƙimar su (duba yadda Bayanan martaba suna shafar FPS).
- Yana sa app ɗin da aka yi niyya don nuna bayanan (misali, lambar 2FA ko rubutu mai mahimmanci).
- Yana ɓoye komai banda yankin sha'awa kuma yana sarrafa firam ɗin ma'ana ta yadda pixel ɗaya "ya mamaye."
- Yana fassara lokutan sarrafa GPU (misali GPU.zip nau'in sabon abu) kuma ya sake gina abun ciki.
Tare da maimaitawa da aiki tare, malware yana cire haruffa kuma yana sake haɗa su ta amfani da su OCR dabaruTagar lokaci tana iyakance harin, amma idan bayanan ya kasance a bayyane na ƴan daƙiƙa kaɗan, mai yiwuwa mai yiwuwa ne.
Iyaka da na'urorin da abin ya shafa
Masana kimiyya sun tabbatar da fasaha a ciki Google Pixel 6, 7, 8 da 9 kuma a cikin Samsung Galaxy S25, tare da nau'ikan Android 13 zuwa 16. Tun da APIs da aka yi amfani da su suna da yawa, sun yi gargaɗin cewa "kusan duk Androids na zamani" zai iya zama mai saukin kamuwa.
A cikin gwaje-gwaje tare da lambobin TOTP, harin ya gano dukkan lambar tare da ƙimar kusan 73%, 53%, 29% da 53% akan Pixel 6, 7, 8 da 9, bi da bi, kuma a matsakaicin lokutan kusa 14,3s; 25,8s; 24,9s da 25,3s, ba ku damar samun gaban ƙarewar lambobin wucin gadi.
Abin da bayanai zai iya fada
Ban da Lambobin tantancewa (Google Authenticator), masu bincike sun nuna dawo da bayanai daga ayyuka irin su Gmail da asusun Google, aikace-aikacen aika saƙo kamar Signal, dandamali na kuɗi kamar Venmo ko bayanan wurin daga Taswirorin Googleda sauransu.
Suna kuma faɗakar da ku game da bayanan da suka rage akan allon na tsawon lokaci, kamar jimlolin dawo da walat ko makullin lokaci guda; duk da haka, abubuwan da aka adana amma ba bayyane (misali, maɓalli na sirri da ba a taɓa nunawa ba) sun wuce iyakar Pixnapping.
Martanin Google da Matsayin Faci
An sanar da binciken a gaba ga Google, wanda ya lakafta batun a matsayin babban tsanani kuma ya buga farkon raguwa mai alaƙa da CVE-2025-48561Duk da haka, masu bincike sun gano hanyoyin da za su kauce masa, don haka An yi alkawarin ƙarin faci a cikin wasiƙar Disamba kuma ana kiyaye daidaituwa tare da Google da Samsung.
Halin da ake ciki a yanzu yana nuna cewa ƙaƙƙarfan toshe zai buƙaci sake duba yadda Android ke sarrafa ma'ana da overlays tsakanin aikace-aikace, tun da harin yana amfani da daidai waɗancan hanyoyin na ciki.
Abubuwan da aka ba da shawarar ragewa
Ga masu amfani na ƙarshe, yana da kyau a rage fallasa bayanai masu mahimmanci akan allo kuma su zaɓi amincin juriyar phishing da tashoshi na gefe, kamar su. FIDO2/WebAuthn tare da maɓallan tsaro, guje wa dogaro na musamman akan lambobin TOTP a duk lokacin da zai yiwu.
- Ci gaba da sabunta na'urar sannan a yi amfani da bayanan tsaro da zarar sun samu.
- Guji shigar da apps daga hanyoyin da ba a tabbatar da su ba da kuma bitar izini da halayen da ba su da kyau.
- Kar a ci gaba da ganin jumlolin dawo da bayanai; fi son hardware wallets don kiyaye maɓalli.
- Kulle allon da sauri da iyakance samfoti na abun ciki mai mahimmanci.
Don ƙungiyoyin samfura da haɓakawa, lokaci ya yi da za a bita ingantattun kwarara da rage faɗuwar faɗuwa: rage girman rubutun sirri akan allo, gabatar da ƙarin kariya a cikin ra'ayoyi masu mahimmanci da kimanta canji zuwa hanyoyin kyauta tushen hardware.
Ko da yake harin yana buƙatar bayanan a bayyane, ikonsa na aiki ba tare da izini ba kuma a cikin ƙasa da rabin minti ya sa ya zama barazana mai tsanani: fasaha ta hanyar tashar da ke amfani da amfani da Lokacin yin GPU don karanta abin da kuke gani akan allo, tare da sassauƙa sassa a yau da zurfin gyarawa yana jiran.
Ni mai sha'awar fasaha ne wanda ya mayar da sha'awar "geek" zuwa sana'a. Na shafe fiye da shekaru 10 na rayuwata ta yin amfani da fasaha mai mahimmanci da kuma yin amfani da kowane nau'i na shirye-shirye saboda tsantsar son sani. Yanzu na kware a fasahar kwamfuta da wasannin bidiyo. Wannan shi ne saboda sama da shekaru 5 ina yin rubutu a gidajen yanar gizo daban-daban kan fasaha da wasannin bidiyo, ina ƙirƙirar kasidu da ke neman ba ku bayanan da kuke buƙata cikin yaren da kowa zai iya fahimta.
Idan kuna da wasu tambayoyi, ilimina ya bambanta daga duk wani abu da ya shafi tsarin aiki na Windows da kuma Android don wayoyin hannu. Kuma alƙawarina shine a gare ku, koyaushe a shirye nake in yi ƴan mintuna kaɗan in taimaka muku warware duk wata tambaya da kuke da ita a duniyar Intanet.