Android ‘Pixnapping’ Attack Exploits Pixel Timing to Steal Sensitive Data
Security researchers have uncovered a significant vulnerability in Android systems known as Pixnapping, which enables malicious apps to steal sensitive information such as two-factor authentication (2FA) codes and other data from various applications and websites. This technique, originally developed for web browsers, has been adapted to Android devices, raising serious concerns about user privacy and data security. The attack works by exploiting the time it takes for pixels to render, allowing attackers to infer the content of a screen region without direct access to the app’s data.
According to the findings, the Pixnapping attack can extract data from apps such as Google Maps, Signal, and Venmo, as well as from websites like Gmail (mail.google.com). The method involves a series of steps where a malicious app opens the target app and measures the rendering time of specific pixels. By analyzing the time it takes for pixels to render, the attacker can determine whether a pixel is white or non-white, enabling the extraction of information through optical character recognition (OCR) techniques. This method does not require any special permissions in the app’s manifest file, making it particularly dangerous as it can be implemented without the user’s knowledge.
The researchers demonstrated the attack on several Android devices, including Google Pixel 6 through Pixel 9 and the Samsung Galaxy S25, covering Android versions 13 to 16. While the latest Android version, 16, was tested, the researchers noted that the underlying mechanism is typically available on other Android devices as well. This means that the vulnerability could affect a wide range of devices, putting users at risk. The attack’s potential to steal sensitive information such as 2FA codes from Google Authenticator highlights the severity of the threat, as this data is crucial for securing user accounts and preventing unauthorized access.
Alan Wang, a PhD candidate at UC Berkeley, explained the attack’s mechanics, emphasizing the importance of addressing such vulnerabilities. The researchers have detailed their findings in a paper titled “Pixnapping: Bringing Pixel Stealing out of the Stone Age,” providing a comprehensive overview of the attack’s methodology and implications. As Android continues to evolve, it is crucial for developers and security experts to collaborate on mitigating such threats and enhancing the platform’s security features. Users are also advised to remain vigilant and adopt additional security measures to protect their data against potential threats.