Pixnapping: A New Approach to Information Stealing

Executive Summary

A vulnerability called Pixnapping has been identified in modern Android devices that allows hackers to steal data from pixels on a screen. This attack is a proof of concept that is currently being developed by a multi-institutional research team. There is no mitigation available to prevent Pixnapping, however it is recommended to follow basic cybersecurity best practices to mitigate against such threats. A study of this vulnerability reveals the unexpectedness within the cyber domain and how researchers are working to shed light on these issues.

Background

Researchers from the University of California (UC) Berkeley, UC San Diego, University of Washington, and Carnegie Mellon University have developed a pixel stealing attack that takes advantage of a vulnerability in Android devices to gain information. Pixel stealing refers to an exploit where hackers are able to steal data displayed on a screen as opposed to data on a storage device or while the data is in transit. Pixnapping is a proof of concept that has not been exploited in the real world, but it shows a flaw in modern mobile graphics processing hardware [2]. 

Pixnapping is a type of pixel stealing attack that is built on research from Paul Stone in 2013. Stone’s original proof of concept used a malicious website to steal pixels from a victim website. First, a webpage is converted into monochrome, and its black and white pixels are identified. Stone noticed that rendering these pixels through an image filter is different. So, by measuring each pixel’s rendering time, an attacker can deduce the pixels of an unknown image. A malicious site could load a website that a victim is using and recreate the image pixel by pixel. The copy that the hacker recreates is not always perfect, but it is close enough to determine what the image is [5].

During testing, Stone noticed that this method took very long to produce an image, but his research laid the groundwork for Pixnapping. Researchers today are developing this methodology to take advantage of vulnerabilities in modern hardware to make this approach more practical.

Impact

Mobile devices are used in nearly all aspects of life nowadays, like banking, messaging, and 2-factor authentication (2FA). Hackers with the ability to perform Pixnapping are able to steal any type of information that is displayed on a mobile screen.

Researchers were able to build on Stone’s attack by taking advantage of a side channel vulnerability that exists in modern Android devices, which is being tracked as CVE-2025-48561. Side channels occur when information can be accidentally revealed to an adversary during a device’s normal operating conditions. It should be noted that this vulnerability has the potential to exist in all modern mobile devices. However, the Pixnapping study primarily focused on Google’s Pixel devices and Samsung’s S25 [1].

Pixnapping’s mechanism of attack is similar to Stone’s original work, but a malicious mobile app is used instead of a website. Researchers assumed that the victim downloads the malicious app and runs it during their study. After these actions, there is no other user input required for Pixnapping to occur. The malicious app operates as a hidden background process and follows similar procedures that Stone used. Information can be stolen from any other app that users can see on their screen. So far, researchers have been able to steal things like ephemeral 2FA codes from Google’s Authenticator app, banking and transaction information from the Venmo app, and private messages from the Signal app, among others. The side channel vulnerability is what allows the malicious app to read information from other apps running on a mobile device [6]. The main takeaway of this attack is that anything the user sees on their screen can be recreated and stolen via Pixnapping.

Mitigation

There are currently no known mitigations for the vulnerability at the time of writing this. The Pixnapping researchers have reached out to Google and Samsung about the side channel vulnerability that allows this exploit to occur. Google has issued a patch to mitigate CVE-2025-48561 and plans on issuing another patch later this year. Though the Pixnapping researchers have already found a workaround to the current patch to enable the attack again [3]. Pixnapping’s researchers have not publicly released their source code in response to the potential impact it could have on unpatched devices.

Although Pixnapping has not been seen in real world attacks, users should practice basic cybersecurity hygiene to keep themselves protected. Applications should only be downloaded from verified sources such as the Google Play Store or Apple’s App Store, and users should regularly review and customize app permissions. Jailbreaking devices should also be avoided to reduce the risk of introducing vulnerabilities [4]. Ultimately, Google and Samsung will be responsible for mitigating the risk of this attack, but users should continue to use best practices.

Relevance

Pixnapping introduces a new way for adversaries to steal information. Cyber researchers have revealed how quirks in hardware and software can lead to unexpected threats. It is important to note that this attack is a proof of concept that is still being studied. This study is a perfect example of why it is important for researchers to continue to push the boundaries of what is possible to improve our overall cybersecurity posture. 

References

[1] Arntz, P. (2025, October 14). Pixel-stealing “Pixnapping” attack targets Android devices. Malwarebytes Labs. https://www.malwarebytes.com/blog/news/2025/10/pixel-stealing-pixnapping-attack-targets-android-devices

[2] Culafi, A. (2025, October 14). Pixnapping Attack Lets Attackers Steal 2FA on Android. Dark Reading. https://www.darkreading.com/vulnerabilities-threats/pixnapping-attack-attackers-2fa-android 

[3] Lakshmanan, R. (2025, October 14). New Pixnapping Android Flaw Lets Rogue Apps Steal 2FA Codes Without Permissions. The Hacker News. https://thehackernews.com/2025/10/new-pixnapping-android-flaw-lets-rogue.html  

[4] Purdue University. (2025, January 29). Mobile Devices Security Best Practices. Purdue University. https://www.purdue.edu/securepurdue/forms-and-resources/mobile-devices-security.php 

[5] Stone, P. (2013, July). Pixel Perfect Timing Attacks with HTML5. Blackhat. https://media.blackhat.com/us-13/US-13-Stone-Pixel-Perfect-Timing-Attacks-with-HTML5-WP.pdf 

[6] Wang, A.; Gopalkrishnan, P.; Wang, Y.; Fletcher, C.W.; Shacham, H.; Kohlbrenner, D.; Paccagnella, R. (2025, October 13). Pixnapping: Bringing Pixel Stealing out of the Stone Age. Pixnapping. https://www.pixnapping.com/pixnapping.pdf