The ‘Pixnapping’ Attack Can Steal Your 2FA Codes

Did you know you can customize Google to filter out garbage? Take these steps for better search results, including adding my work at Lifehacker as a preferred source.

Researchers have demonstrated a new type of malware attack that can steal sensitive information from Android devices—including Google and Samsung phones—without the knowledge or action of the target user.

The attack is called "Pixnapping," an apparent portmanteau of "pixel" and "snapping." When you download and open a piece of software containing the malware, the app scans your phone for specific apps it might want to spy on. It then accesses another app on your phone—say, Google Authenticator—but rather than open it, it pulls the information that would be displayed into the Android rendering pipeline. From there, the app scans the display information for individual pixels, targeting areas known to contain sensitive information. In the case of Google Authenticator, the focus is on the pixels known to contain the 2FA codes within the app. The malware then checks to see whether a pixel is blank, or contains some type of rendered content. It uses these findings to recover the original images, like a complete 2FA code, without ever actually having seen the original images in the first place.

This process can repeat for as long as it takes to scan the stolen pixels and pull the original information from them, all without you knowing it's happening. Researchers compare the process to taking screenshots of screen contents the malware should not have access to.

How the malware works

There are three reasons Pixnapping attacks are possible on Android, according to researchers. First, the OS allows apps to send another app's activity to the Android rendering pipeline, which allows the malicious app to invoke sensitive activities, like refreshing 2FA codes. Second, apps can run graphical operations on pixels displayed through another app's activity, which is how the malicious app can pull pixels from something like Google Authenticator. Third, apps can measure the pixel color-dependent side effects of those operations, which allows the malicious app to leak the pixel values.

Researchers demonstrated these Pixnapping attacks on Google and Samsung phones, including the Pixel 6, Pixel 7, Pixel 8, Pixel 9, and Galaxy S25. These phones were running Android 13, 14, 15, and 16. Researchers say they aren't sure if other types of Android devices are affected by this attack, though the "core mechanisms" involved are usually present in all Android devices. Different Pixel devices had different rates of success in the 2FA hack (73%, 53%, 29%, and 53% for the Pixel 6, 7, 8, and 9, respectively), though researchers could not obtain 2FA codes on the Galaxy S25 within the 30 second timeline before the codes refreshed.

In addition to devices, researchers demonstrated Pixnapping attacks on sites and services like Gmail, Google Accounts, Signal, Google Authenticator, Venmo, and Google Maps. The implication is that this type of attack could steal many different types of information from your phone, including emails, encrypted messages, payment records, and location histories.

According to the findings, Google has tried to patch Pixnapping, but researchers were able to workaround this patch in demonstrated attacks. The vulnerability is currently tracked as CVE-2025-48561. Google is working on a new patch for the December Android security builtin.

How to protect yourself from Pixnapping

The good news, at this time anyway, is that researchers are not aware of Pixnapping attacks happening in the wild. However, that doesn't mean they won't happen, especially now that the attack has been disclosed.

The first thing to do to protect yourself is to make sure you're running the latest security patches on your Android device. While Google is still working on a subsequent Pixnapping patch, there is a patch in existence. Make sure you install it on your phone by heading to System > Software updates.

Next, be cautious with the apps you download on your device. Always try to download apps from trusted and verified marketplaces, as it's much more difficult for bad actors to hide malware on apps distributed through these stores. Even when you download apps on something like the Google Play Store, investigate the app thoroughly: Ensure it's really the app you think it is, and it's coming from the developer that makes it. If you sideload apps, be careful with what you download, and only install apps from developers you trust.

View the full article