New 'Pixnapping' attack lets hackers steal Android chats, 2FA codes in seconds
Key Takeaways
- A new Android attack named "Pixnapping" allows malicious apps to steal any data visible on the screen, including chats and 2FA codes.
- The attack requires the victim to install a malicious app, which then uses a hardware side channel to read screen pixels and perform OCR.
- The vulnerability stems from an unintended data leak within the Android API's rendering pipeline.
- Researchers from multiple universities collaborated on the discovery and shared details online ahead of a conference publication.
- Google has acknowledged the vulnerability, released an initial patch, and is planning a more comprehensive fix in its December security bulletin after a workaround was discovered.
Cybersecurity researchers have uncovered a significant new threat to Android users dubbed "Pixnapping," which enables hackers to steal highly sensitive information displayed on a device's screen, including private messages and 2FA codes, within seconds. This attack is initiated when a user installs a malicious application, after which the app exploits a hardware side channel to access and process screen pixels using graphical operations until optical character recognition (OCR) allows text extraction. The vulnerability was detailed in a research paper resulting from a collaboration between institutions like UC Berkeley and Carnegie Mellon University, and it works by weaponizing the Android API to target visible data in other applications. While the attack cannot steal obscured information, it is highly effective against anything explicitly shown on the screen, akin to taking unauthorized screenshots. The research team notified Google in February, leading to an initial patch last month, but researchers found a workaround shortly thereafter, prompting Google to schedule a comprehensive fix in its December security bulletin. Although the exploit has been tested successfully on various Google Pixel and Samsung Galaxy models, researchers currently report no known instances of it being used in real-world attacks.
