Researchers at Carnegie Mellon University have discovered a new cyberattack called the Pixnapping attack, capable of stealing sensitive information from Android phones. The attack affects major brands like Google and Samsung. Google has already released a temporary fix and is preparing a stronger patch to stop future exploits.
The attack starts when a user unknowingly installs a malicious app. Once on the device, the app secretly launches another trusted application such as Gmail, Google Authenticator, or Venmo. It then manipulates pixels on the screen linked to areas where private data usually appears.
Pixnapping builds on an earlier GPU flaw known as GPU.zip, first revealed in 2023. Using this method, the attacker can recover images from the screen, pixel by pixel. It’s as if the malicious app is quietly taking screenshots of private data in real time without the user’s knowledge or permission.
Researchers showed that the attack could expose details from popular apps like Gmail, Signal, Google Maps, and Google Authenticator. Even Google Account pages in a browser were vulnerable.
The stolen information depends on what’s visible on the screen. This includes two-factor authentication (2FA) codes, emails, and chat messages. Google Authenticator is especially at risk because the app displays codes in a fixed area, making it easier for attackers to rebuild the image sequence.
During controlled tests, the team extracted 2FA codes from Google Authenticator in under 30 seconds — the same time the codes remain valid. On Google Pixel phones, the success rate reached between 29% and 73%. On Samsung Galaxy S25 devices, however, results were inconsistent and often failed before the codes expired.
The researchers reported the issue to Google in February 2025. It was later assigned the identifier CVE-2025-48561. Google included a partial patch in its September Android update. But after testing, the team managed to bypass it. Google confirmed that a complete fix is in development and will likely arrive by December.
For now, no real-world Pixnapping attacks have been detected. Still, the discovery shows how quickly side-channel attacks are evolving. Even phones with advanced protection can be exposed when attackers exploit hardware-based leaks.
Experts urge Android users to keep their phones updated and avoid installing apps from unverified sources. These precautions can reduce the risk of falling victim until the full patch becomes available.
