Close Menu

    Subscribe to Updates

    Get the latest tech news from Tallwire.

      What's Hot

      U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

      July 16, 2026

      AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

      July 16, 2026

      Record Industry Pushes for AI Labels on Streaming Music

      July 15, 2026
      Facebook X (Twitter) Instagram
      • Tech
      • AI
      • Get In Touch
      Facebook X (Twitter) LinkedIn
      TallwireTallwire
      • Tech

        U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

        July 16, 2026

        Fiat Bets on Tiny EV as Affordable Transportation Returns to the Spotlight

        July 15, 2026

        Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

        July 15, 2026

        Meta Patent Ignites Fresh Fears Over AI-Powered Emotional Surveillance

        July 14, 2026

        AI Protesters March on Silicon Valley Giants Demanding Development Freeze

        July 14, 2026
      • AI

        AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

        July 16, 2026

        U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

        July 16, 2026

        Record Industry Pushes for AI Labels on Streaming Music

        July 15, 2026

        AI Chatbots Increasingly Clash With Eating Disorder Treatment

        July 15, 2026

        Anthropic Doubles Down on New York as AI Talent War Intensifies

        July 15, 2026
      • Security

        China’s AI Distillation Campaign Raises New Concerns Over U.S. Technology Security

        July 13, 2026

        AI Tools Increasingly Exploited by Terrorist Organizations, New Research Finds

        July 13, 2026

        Pentagon Expands Engineering Recruitment to Restore America’s Military Technology Edge

        July 13, 2026

        EU Lawmakers Advance Controversial Private Message Scanning Measure Despite Mounting Privacy Concerns

        July 12, 2026

        Scramble Intensifies to Secure America Against Emerging AI National Security Threats

        July 12, 2026
      • Health

        AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

        July 16, 2026

        AI Chatbots Increasingly Clash With Eating Disorder Treatment

        July 15, 2026

        Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

        July 15, 2026

        Humanoid Robots Complete First Live Surgical Procedures in Medical Milestone

        July 14, 2026

        Meta Patent Ignites Fresh Fears Over AI-Powered Emotional Surveillance

        July 14, 2026
      • Science

        AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

        July 16, 2026

        U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

        July 16, 2026

        Scientists Advance “StormWall” Concept to Defend Earth from Catastrophic Solar Storms

        July 15, 2026

        Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

        July 15, 2026

        Humanoid Robots Complete First Live Surgical Procedures in Medical Milestone

        July 14, 2026
      • Tech

        AI Protesters March on Silicon Valley Giants Demanding Development Freeze

        July 14, 2026

        Palo Alto Networks CEO Warns AI Costs Must Plunge Before Enterprise Adoption Can Accelerate

        July 14, 2026

        DeepMind Unionization Effort Encounters Early Resistance as Labor Talks Stall

        July 11, 2026

        Always-On Workplace Culture Pushes Employees Toward the Breaking Point

        July 10, 2026

        High-Income Families Embrace AI-Driven Schools as Alternative Education Expands

        July 9, 2026
      TallwireTallwire
      Home»Tech»Android Under Siege — New “Pixnapping” Flaw Still Unfixed, Leaks 2FA Codes
      Tech

      Android Under Siege — New “Pixnapping” Flaw Still Unfixed, Leaks 2FA Codes

      Updated:December 25, 20254 Mins Read
      Facebook Twitter Pinterest LinkedIn Tumblr Email
      Android Under Siege — New “Pixnapping” Flaw Still Unfixed, Leaks 2FA Codes
      Android Under Siege — New “Pixnapping” Flaw Still Unfixed, Leaks 2FA Codes
      Share
      Facebook Twitter LinkedIn Pinterest Email

      Security researchers have uncovered a resurgent side-channel attack called Pixnapping that lets a malicious Android app read screen pixel data from other apps and thereby steal sensitive information such as two-factor authentication (2FA) codes and private messages. The vulnerability, tracked as CVE-2025-48561, works by exploiting GPU timing and Android’s blur/overlay APIs, allowing attackers to deduce whether a pixel is “non-white” (i.e. part of displayed characters) via rendering time differences. The attack has been successfully demonstrated on multiple devices (Pixel 6 through Pixel 9 and Samsung Galaxy S25) using Android versions 13 to 16, and doesn’t require any special permissions in the app manifest. Although Google issued a partial patch in the September Android security bulletin, researchers say a full mitigation is not yet in place and they discovered a bypass to Google’s limitations. Google plans further fixes in a December security update, but as of now the threat remains active. Beyond Pixnapping, other real-world examples of MFA bypasses and vulnerabilities show that 2FA is increasingly under attack: Russian hackers bypassed Gmail’s MFA via manipulated “app passwords” in social engineering campaigns; and over 100,000 Android malware samples have been found to steal one-time SMS codes.

      Sources: MalwareBytes, ARS Technica

      Key Takeaways

      – Pixnapping revives a decade-old pixel-stealing technique, repackaged for modern Android and GPU hardware, enabling attackers to extract 2FA codes without needing elevated permissions.

      – Partial patches exist, but they’re insufficient — the full fix is still pending, and Google has yet to completely close the side channel.

      – The broader landscape shows that no 2FA method is immune: SMS, authenticator apps, and even app passwords have been targeted via malware or social engineering.

      In-Depth

      The discovery of Pixnapping is a sobering reminder: even technologies we assume are secure—like 2FA—are not beyond reach. The technique revives an old trick: leaking pixel data via timing side channels. But now it’s adapted to Android’s GPU and rendering pipelines, turning what was once a theoretical browser attack into a practical app-level exploit.

      Here’s how Pixnapping works: a malicious app launches a victim app (say Google Authenticator), overlays a semi-transparent window using Android’s blur API, and injects rendering operations whose time depends on whether a given pixel is part of a character or blank background. Because GPUs (and compressed memory paths) behave differently depending on the data, the attacker can infer whether a pixel was “white” or not. Repeating this across pixels allows them to reconstruct the displayed content (i.e. the 2FA code). What makes this especially dangerous is that it doesn’t require any special Android permissions—the attack rides through standard system APIs. The researchers demonstrated successful code extraction at a rate of about 0.6 to 2.1 pixels per second—slow, but enough given short codes. They tested it on multiple Android devices including Pixel 6/7/8/9 and Galaxy S25, across Android 13 to 16.

      Google responded by limiting how many blur API calls an activity can make, but the team found a workaround that still bypasses that restriction. They assert that the most robust defense is to block any attacker from computing on victim pixels in the first place. Google has promised further patches in December, but until those arrive, users are exposed.

      Even beyond Pixnapping, the broader multi-factor landscape is under attack. In June 2025, researchers reported that Russian actors succeeded in bypassing Gmail’s MFA by tricking targets into generating “app passwords” (which skip the second factor) through social engineering campaigns. Meanwhile, mobile malware campaigns continue to proliferate: over 100,000 Android apps have been found that intercept SMS one-time codes, and variants like Cerberus have long been able to steal codes from authenticator apps by abusing accessibility or screen overlays.

      So what’s the path forward? First, it’s critical to recognize that not all forms of 2FA are equal. Hardware security keys or WebAuthn-based MFA are much more resistant to side-channel or overlay attacks. Second, update your device promptly when patches arrive—especially when Google pushes the December update. Third, scrub your installed apps, avoid granting unnecessary permissions (especially for apps hosting dynamic UI overlays or blur effects), and prefer apps from trusted sources only. And lastly, adopt a defense-in-depth mindset: don’t rely solely on 2FA—monitor account access logs, use device binding, and assume that any given security measure might be circumvented.

      In short, Pixnapping is a clever escalation in the arms race: it doesn’t rely on a software bug in the victim app, but exploits the hardware rendering pipeline itself. Until full mitigations are rolled out, every Android user should assume 2FA codes may be at risk, and move their security posture further forward rather than assuming 2FA is foolproof.

      Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
      Previous ArticleAndroid Set to Add System-Wide Blur Toggle; A Response to Readability Concerns
      Next Article Anguilla Reaps $39 Million from .ai Domain Boom in 2024

      Related Posts

      U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

      July 16, 2026

      Fiat Bets on Tiny EV as Affordable Transportation Returns to the Spotlight

      July 15, 2026

      Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

      July 15, 2026

      Meta Patent Ignites Fresh Fears Over AI-Powered Emotional Surveillance

      July 14, 2026
      Add A Comment
      Leave A Reply Cancel Reply

      Editors Picks

      U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

      July 16, 2026

      Fiat Bets on Tiny EV as Affordable Transportation Returns to the Spotlight

      July 15, 2026

      Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

      July 15, 2026

      Meta Patent Ignites Fresh Fears Over AI-Powered Emotional Surveillance

      July 14, 2026
      Popular Topics
      trending Tesla Viral SpaceX Satya Nadella Stocks Samsung spotlight Taiwan Tech Satellite Sundar Pichai Series B Series A Startup Space UAE Tech Tesla Cybertruck starlink Tim Cook Software
      Major Tech Companies
      • Apple News
      • Google News
      • Meta News
      • Microsoft News
      • Amazon News
      • Samsung News
      • Nvidia News
      • OpenAI News
      • Tesla News
      • AMD News
      • Anthropic News
      • Elbit News
      AI & Emerging Tech
      • AI Regulation News
      • AI Safety News
      • AI Adoption
      • Quantum Computing News
      • Robotics News
      Key People
      • Sam Altman News
      • Jensen Huang News
      • Elon Musk News
      • Mark Zuckerberg News
      • Sundar Pichai News
      • Tim Cook News
      • Satya Nadella News
      • Mustafa Suleyman News
      Global Tech & Policy
      • Israel Tech News
      • India Tech News
      • Taiwan Tech News
      • UAE Tech News
      Startups & Emerging Tech
      • Series A News
      • Series B News
      • Startup News
      Tallwire
      Facebook X (Twitter) LinkedIn Threads Instagram RSS
      • Tech
      • Entertainment
      • Business
      • Government
      • Academia
      • Transportation
      • Legal
      • Press Kit
      © 2026 Tallwire. Optimized by ARMOUR Digital Marketing Agency.

      Type above and press Enter to search. Press Esc to cancel.