Android attack: Pixnapping dismantles 2FA in seconds | The Express Tribune
Key Takeaways
- Researchers discovered a new Android attack called 'Pixnapping' that steals on-screen sensitive data, including 2FA codes.
- The attack bypasses existing browser mitigations by targeting non-browser apps and reconstructing data pixel by pixel based on rendering time measurements.
- Full six-digit 2FA codes were recovered from Google Authenticator in under 30 seconds on tested Google Pixel devices.
- The exploit requires only the installation and opening of a malicious, no-permissions application.
- Mitigation advice includes installing the latest Android patches and developers restricting transparent overlays on sensitive activities.
Researchers from several universities, including UC Berkeley and the University of Washington, have detailed a new Android attack named Pixnapping that exploits how apps render pixels on the screen to steal sensitive data. This attack successfully bypasses current browser-based pixel-stealing mitigations by targeting non-browser applications, allowing attackers to covertly read one-time passcodes, chat messages, and email content. The mechanism involves forcing a target application to display its content while the malicious app measures the rendering time of individual pixels to reconstruct characters and symbols. In testing, the team recovered six-digit 2FA codes from Google Authenticator in under 30 seconds on several Google Pixel models, though recovering an entire screen takes significantly longer due to the modest pixel leak rate. The researchers advise users to install the latest Android patches and suggest developers restrict transparent layering over sensitive activities to mitigate this threat. Google has acknowledged the issue, releasing a partial mitigation in September and planning further security patches, while reports indicate no evidence of active exploitation has been seen by some tech media.
