Researchers Uncover ‘Pixnapping’ Android Attack Capable of Stealing 2FA Codes in Seconds

A newly discovered Android vulnerability known as “pixnapping” is raising serious concerns among security researchers, as it allows hackers to extract sensitive on-screen information pixel by pixel and reconstruct it into readable data. The attack, developed by researchers from several US universities, can steal two-factor authentication (2FA) codes in as little as 14 to 25 seconds, fast enough to use them before they expire.

The technique works by exploiting Android’s application programming interfaces (APIs) and the system’s ability to create transparent interface layers. A malicious app places invisible windows over another app, then analyses subtle pixel changes on the screen to gradually rebuild what the user is viewing. While the process is slow for full messages or screenshots, it is fast enough to capture short-lived security codes and potentially other valuable snippets of information.

Researchers demonstrated that even encrypted messages from secure apps like Signal could be reconstructed using this method, although doing so required significantly more time. By isolating and reassembling individual pixels, attackers can rebuild any sensitive content displayed on the device.

The attack relies on Android Intents, a core system component that lets apps request actions from other apps. By manipulating this mechanism, a malicious app can stack transparent layers over targeted apps without needing special permissions. This makes detection more challenging and raises concerns about how easily such a malicious app could be disguised as a legitimate tool.

Google has already issued an initial patch aimed at limiting the blur functions that enable these transparent layers. However, researchers have found a workaround, meaning the vulnerability is not yet fully resolved. A more comprehensive fix is expected in Google’s December Android security bulletin.

The attack has been tested on devices from Samsung and Google, suggesting wide potential exposure. The findings follow recent discoveries that more than one million Android devices were infected by a hidden backdoor and that thousands of users unknowingly installed malicious apps posing as legitimate software.

The pixnapping vulnerability highlights a growing trend in sophisticated phone-based attacks. While Apple devices have faced their own high-profile exploits, such as Pegasus, Android’s openness means attackers are continuously finding new ways to exploit system mechanisms. Security experts emphasise the importance of installing updates as soon as they become available, avoiding unverified apps, and remaining alert to unusual device behaviour.

As researchers, developers and hackers continue their ongoing cat-and-mouse battle, pixnapping serves as another reminder that even a single pixel can betray a user’s most private information.

Photo Credit: DepositPhotos.com