The ‘Pixnapping’ Attack Can Steal Your 2FA Codes
Did you know you can customize Google to filter garbage? Follow these steps for better search results, including adding my work at Lifehacker as a preferred source.
Researchers have demonstrated a new type of malware attack capable of stealing sensitive information from Android devices, including Google and Samsung phones, without the target user’s knowledge or action.
The attack is called “Pixnapping”, an apparent portmanteau of “pixel” and “snapping”. When you download and open software containing the malware, the app scans your phone for specific apps it might want to spy on. It then goes to another app on your phone, for example Google Authenticator, but rather than opening it, it extracts the information that would be be displayed in the Android rendering pipeline. From there, the app scans the displayed information for individual pixels, targeting areas known to contain sensitive information. In the case of Google Authenticator, the focus is on pixels known to contain 2FA codes within the app. The malware then checks if a pixel is empty or contains a certain type of rendered content. It uses these results to retrieve the original images, like a full 2FA code, without ever actually seeing the original images.
This process can repeat itself for as long as it takes to analyze the stolen pixels and extract the original information, all without you knowing. Researchers liken the process to taking screenshots of screen content that malware should not have access to.
How malware works
There are three reasons why Pixnapping attacks are possible on Android, according to researchers. First, the operating system allows apps to send another app’s activity to the Android rendering pipeline, allowing the malicious app to invoke sensitive activities, like refreshing 2FA codes. Second, apps can perform graphics operations on pixels displayed through another app’s activity, allowing the malicious app to extract pixels from something like Google Authenticator. Third, applications can measure pixel color-dependent side effects of these operations, which allows the malicious application to leak pixel values.
Researchers have demonstrated these Pixnapping attacks on Google and Samsung phones, including the Pixel 6, Pixel 7, Pixel 8, Pixel 9, and Galaxy S25. These phones ran Android 13, 14, 15, and 16. Researchers say they don’t know if other types of Android devices are affected by this attack, although the “core mechanisms” involved are generally present on all Android devices. Different Pixel devices had different success rates in hacking 2FA (73%, 53%, 29%, and 53% for the Pixel 6, 7, 8, and 9, respectively), although researchers were unable to obtain 2FA codes on the Galaxy S25 in the 30 seconds before the codes refreshed.
In addition to devices, researchers have demonstrated Pixnapping attacks on sites and services such as Gmail, Google Accounts, Signal, Google Authenticator, Venmo, and Google Maps. The implication is that this type of attack could steal many different types of information from your phone, including emails, encrypted messages, payment records, and location histories.
What do you think of it so far?
According to the results, Google attempted to patch Pixnapping, but researchers managed to bypass this patch in demonstrated attacks. The vulnerability is currently tracked as CVE-2025-48561. Google is working on a new patch for Android’s December built-in security.
How to protect yourself from Pixnapping
The good news, at least for now, is that researchers are unaware of Pixnapping attacks occurring in the wild. However, that doesn’t mean it won’t happen, especially now that the attack has been revealed.
The first thing to do to protect yourself is to make sure that you are running the latest security patches on your Android device. While Google is still working on a subsequent Pixnapping fix, there is a fix. Make sure to install it on your phone by going to System > Software updates.
Next, be careful with the apps you download to your device. Always try to download apps from trusted and verified marketplaces, as it is much harder for malicious actors to hide malware on apps distributed through these stores. Even when downloading apps from something like the Google Play Store, study the app carefully: make sure it’s the app you think it is and that it’s from the developer who created it. If you download apps, be careful with what you download and only install apps from developers you trust.
