- Pixnapping inogona kuba 2FA macode uye imwe pa-screen data isingasviki 30 masekonzi pasina mvumo.
- Inoshanda nekushandisa zvisizvo Android APIs uye chiteshi cheGPU kuburitsa mapixels kubva kune mamwe maapplication.
- Yakaedzwa paPixel 6-9 uye Galaxy S25; iyo yekutanga chigamba (CVE-2025-48561) haivhare zvizere.
- Zvinokurudzirwa kushandisa FIDO2/WebAuthn, kuderedza dhata rakavanzwa pachiratidziri, uye dzivirira maapplication kubva kune anokahadzika masosi.
Chikwata chevaongorori chaburitsa Pixnapping, a Nzira yekurwisa nhare dzeAndroid dzinokwanisa kutora izvo zvinoratidzwa pachiratidziri uye kubvisa yakavanzika data senge 2FA makodhi, mameseji kana nzvimbo mumasekonzi uye pasina kukumbira mvumo.
Chinokosha ndechekushandisa mamwe maAPI system uye a GPU parutivi chiteshi kuburitsa zviri mukati mapixels aunoona; nzira yacho haioneki uye inoshanda chero bedzi ruzivo runoramba ruchionekwa, apo Zvakavanzika zvisina kuratidzwa pascreen hazvigone kubiwa. Google yakaunza kuderedza kunoenderana ne CVE-2025-48561, asi vanyori vekuwanikwa vakaratidza nzira dzekunzvenga, uye kumwe kusimbiswa kunotarisirwa muna Zvita Android chengetedzo bulletin.
Chii chinonzi Pixnapping uye nei chiri kunetseka?
El nombre inobatanidza "pixel" uye "kupamba" nekuti kurwisa chaiko kunoita a "pixel hijacking" kugadzirazve ruzivo rwunoonekwa mune mamwe maapplication. Iko kushanduka kwemaitiro epadivi-chiteshi akashandiswa makore apfuura mumabhurawuza, ikozvino akachinjirwa kune yazvino Android ecosystem ine yakapfava, yakanyarara kuuraya.
Sezvo zvisingadi mvumo yakakosha, Pixnapping inodzivirira kudzivirira kwakavakirwa pamvumo modhi uye inoshanda zvisingaonekwe, iyo inowedzera njodzi yevashandisi nemakambani anovimba nechikamu chechengetedzo yavo pane izvo zvinoonekwa zvipfupi pachiratidziri.
Kurwiswa kunoitwa sei
Kazhinji, iyo yakaipa app inoronga a mabasa anopindirana uye inowiriranisa kupa kuti iparadzanise nzvimbo dzakati dzeiyo interface inoratidzwa data inonzwisisika; wobva washandisa musiyano wenguva paunenge uchigadzira mapikseli kuti ape kukosha kwawo (ona sei Maprofile emagetsi anokanganisa FPS).
- Inokonzeresa iyo inonangwa app kuratidza iyo data (semuenzaniso, kodhi ye2FA kana zvinyorwa zvinonzwisisika).
- Inovanza zvese kunze kwenzvimbo yekufarira uye inoshandura chimiro chekupa kuitira kuti pixel imwe "itonge."
- Inodudzira nguva dzekugadzirisa GPU (e.g. GPU.zip type phenomenon) uye anovakazve zviri mukati.
Nekudzokorora uye kuwiriranisa, iyo malware inobvisa mavara uye kuvaunganidza zvakare vachishandisa Maitiro eOCRIwindo renguva rinomisa kurwiswa, asi kana iyo data ikaramba ichionekwa kwemasekondi mashoma, kupora kunogoneka.
Zviyero uye zvakakanganiswa zvishandiso
Vadzidzi vakasimbisa hunyanzvi mu Google Pixel 6, 7, 8 uye 9 y en el Samsung Galaxy S25, ine Android versions 13 kusvika 16. Sezvo maAPI akashandiswa achiwanikwa munzvimbo dzakawanda, vanoyambira kuti “dzinenge dzese maAndroid emazuvano” inogona kubatwa.
Mukuyedzwa nemakodhi eTOTP, kurwiswa kwakatora kodhi yese nemareti angangoita 73%, 53%, 29% uye 53% paPixel 6, 7, 8 uye 9, zvichiteerana, uye muavhareji nguva dziri pedyo 14,3s; 25,8s; 24,9s uye 25,3s, zvichikutendera kuti uende mberi kwekupera kwenguva pfupi makodhi.
Ndeapi data anogona kudonha
Pamusoro pe makodhi echokwadi (Google Authenticator), vaongorori vakaratidza kudzoreredzwa kweruzivo kubva kumasevhisi akadai seGmail neGoogle maakaundi, mameseji ekutumira mameseji seSignal, mapuratifomu emari akadai seVenmo kana data renzvimbo kubva Mepu dzeGooglepakati pevamwe.
Ivo zvakare vanokuzivisa iwe nezve data rinoramba riri pachiratidziro kwenguva yakareba, senge wallet kudzoreredza mazwi kana makiyi enguva imwe chete; zvisinei, zvakachengetwa asi zvisingaonekwe zvinhu (semuenzaniso, kiyi yakavanzika isina kumboratidzwa) inodarika chiyero chePixnapping.
Google Response uye Patch Status
Zvakawanikwa zvakaziviswa pamberi kuGoogle, iyo yakanyora nyaya seyakaomarara uye yakaburitsa kuderedzwa kwekutanga kwakabatana ne CVE-2025-48561Zvisinei, vatsvakurudzi vakawana nzira dzokunzvenga nadzo, saka Chimwe chigamba chakavimbiswa mupepanhau reDecember uye kubatana neGoogle uye Samsung kunochengetwa.
Mamiriro ezvinhu aripo anoratidza kuti chivharo chakasimba chinoda ongororo yekuti Android inobata sei kupa uye pamusoro pakati pezvikumbiro, sezvo kurwisa kunoshandisa chaizvo izvo zvemukati maitiro.
Inokurudzirwa kudzikisa matanho
Kune vashandisi vekupedzisira, zvinokurudzirwa kudzikisira kuratidzwa kwe data rakadzama pachiratidziro uye sarudza yekuzivisa-inodzivirira phishing uye nzira dzeparutivi, senge. FIDO2/WebAuthn ine makiyi ekuchengetedza, tichinzvenga kuvimba chete nemakodhi eTOTP pese pazvinogoneka.
- Chengetedza mudziyo uchifambirana nenguva uye shandisa zvinyorwa zvekuchengetedza pazvinongowanikwa.
- Dzivisa kuisa mapurogiramu kubva manyuko asina kusimbiswa uye ongorora mvumo uye maitiro asina kunaka.
- Usachengeta mitsara yekudzoreredza kana zvitupa zvichionekwa; prefer hardware wallet kuchengetedza makiyi.
- Kiya skrini nekukasira uye kudzikisira maonerwo ezvemukati memukati.
Zvechigadzirwa nezvikwata zvekusimudzira, yave nguva yekuti kuongorora kuyerera kwechokwadi uye kuderedza kuratidzwa kwepamusoro: kuderedza zvinyorwa zvakavanzika pachiratidziro, suma mamwe edziviriro mumaonero akakosha uye ongorora shanduko kuenda nzira dzisina kodhi hardware-based.
Kunyangwe kurwiswa kunoda kuti ruzivo ruoneke, kugona kwayo kushanda pasina mvumo uye isingasviki hafu yeminiti inoita kuti ive kutyisidzira kwakakomba: nzira yekudivi-chiteshi iyo inotora mukana we GPU yekupa nguva kuti uverenge zvaunoona pachiratidziro, uine zvishoma zvishoma nhasi uye kugadzirisa kwakadzama kwakamirira.
Ini ndiri anofarira tekinoroji akashandura zvaanofarira zve "geek" kuita basa. Ndapedza makore anopfuura gumi ehupenyu hwangu ndichishandisa tekinoroji yekucheka-kumucheto uye kutamba nemhando dzese dzezvirongwa kunze kwekuda kuziva. Iye zvino ndava nyanzvi mune zvekombiyuta uye mitambo yemavhidhiyo. Izvi zvinodaro nekuti kweanopfuura makore 10 ndanga ndichishanda kunyora kune akasiyana mawebhusaiti pane tekinoroji nemitambo yemavhidhiyo, ndichigadzira zvinyorwa zvinotsvaga kukupa ruzivo rwaunoda mumutauro unonzwisisika nemunhu wese.
Kana iwe uine chero mibvunzo, ruzivo rwangu rwunobva kune zvese zvine chekuita neWindows inoshanda sisitimu pamwe ne Android yenharembozha. Uye kuzvipira kwangu kuri kwauri, ndinogara ndakagadzirira kushandisa maminetsi mashoma uye kukubatsira kugadzirisa chero mibvunzo yaungave unayo munyika ino yeinternet.