A ‘Pixnapping’ Attack Can Steal Your 2FA Codes.
Did you know you can configure Google to filter out junk? Follow these steps to improve your search results, including adding my work on Lifehacker as a preferred source .
Researchers have demonstrated a new type of malware attack that can steal sensitive information from Android devices, including Google and Samsung phones, without the knowledge or action of the target user.
The attack is called ” Pixnapping ,” which appears to be a portmanteau of the words “pixel” and “snapping.” When you download and open an app containing the malware, it scans your phone for specific apps it can spy on. It then accesses another app on your phone, such as Google Authenticator, but instead of opening it, it transfers the displayed information to Android’s rendering pipeline. From there, the app scans the displayed information for individual pixels, identifying areas containing sensitive information. In the case of Google Authenticator, it focuses primarily on pixels containing 2FA codes within the app. The malware then checks whether the pixel is empty or contains any rendered content. It uses this data to reconstruct the original images, such as the full 2FA code, without ever seeing the original images.
This process can be repeated for as long as it takes to scan the stolen pixels and extract the raw data, all without your knowledge. Researchers compare this process to taking screenshots of screen content that the malware shouldn’t have access to.
How does malware work?
According to researchers, there are three reasons why pixel swiping attacks are possible on Android. First, the OS allows apps to pass another app’s activity into the Android rendering pipeline, allowing a malicious app to perform sensitive actions, such as updating two-factor authentication (2FA) codes. Second, apps can perform graphical operations on pixels rendered through another app’s activity, allowing a malicious app to extract pixels from apps like Google Authenticator. Third, apps can measure the side effects of these operations, which depend on pixel color, allowing a malicious app to reveal pixel values.
The researchers demonstrated these Pixnapping attacks on Google and Samsung phones, including the Pixel 6, Pixel 7, Pixel 8, Pixel 9, and Galaxy S25. These phones were running Android 13, 14, 15, and 16. The researchers stated that they are unsure whether other types of Android devices are susceptible to this attack, although the “core mechanisms” involved in this attack are generally present on all Android devices. Different Pixel devices showed varying 2FA cracking success rates (73%, 53%, 29%, and 53% for the Pixel 6, 7, 8, and 9, respectively), although the researchers were unable to obtain 2FA codes on the Galaxy S25 within 30 seconds of updating the codes.
In addition to devices, researchers demonstrated Pixnapping attacks on websites and services such as Gmail, Google Accounts, Signal, Google Authenticator, Venmo, and Google Maps. This type of attack is believed to be capable of stealing a wide range of data from your phone, including emails, encrypted messages, payment information, and location history.
According to the research, Google attempted to patch the Pixnapping vulnerability, but the researchers were able to circumvent it during demonstration attacks. The vulnerability is currently tracked as CVE-2025-48561 . Google is working on a new patch for the built-in Android security feature, released in December.
How to protect yourself from Pixnapping
The good news, at least for now, is that researchers are not aware of any real-life cases of Pixnapping attacks. However, that doesn’t mean they won’t happen, especially now that the attack has become publicly known.
The first thing to do to stay protected is to make sure your Android device has the latest security updates. While Google is still working on the next patch for Pixnapping, one is already available. Make sure you’ve installed it on your phone by going to System > Software Updates .
Next, be careful with the apps you download to your device. Always try to download apps from trusted and verified stores, as it’s much harder for attackers to hide malware in apps distributed through them. Even when downloading apps from stores like Google Play, thoroughly check the app: make sure it’s what you think it is and that it was created by the developer who created it. If you download third-party apps, be careful what you download and only install apps from developers you trust.