New 'Pixnapping' attack lets hackers steal Android chats, 2FA codes in seconds

Cybersecurity researchers have discovered a new type of attack that affects Android devices, and they say it lets hackers get their hands on your private data in a matter of seconds.

This includes your private chats, text messages, emails, and even two-factor authentication (2FA) codes, as Ars Technica reported.

The attack, dubbed "Pixnapping" by the team of researchers who discovered it, can be used to extract information from any data displayed on the screen. First, the victim has to download a malicious app. Once the app is installed, a Pixnapping attack can occur without the victim providing any further device permissions.

"Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping," reads a message on the Pixnapping website, a resource created by researchers to share information on the attack. "Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible."

According to the Pixnapping website, the vulnerability is detailed in a new research paper, part of a collaboration between seven researchers at the University of California, Berkeley, University of Washington, University of California, San Diego, and Carnegie Mellon University. A preprint of the paper, titled “Pixnapping: Bringing Pixel Stealing out of the Stone Age,” is available online and will be published this week at the 32nd ACM Conference on Computer and Communications Security in Taiwan.

Information that can not be displayed on the Android device's screen, such as a secret key that is obscured using asterisks for example, cannot be stolen by the hackers in a Pixnapping attack. This is because of the way the attack is carried out.

Once a victim installs the malicious app, it weaponizes the Android API to target other apps with access to sensitive data. The app then accesses the pixels displayed on the screen using an unintended data leak, also known as a hardware side channel. The malicious app pushes those individual pixels through the rendering pipeline, where the Pixnapping attack then performs graphical operations. This continues until optical character recognition, or OCR, can occur, meaning the app can extract text from visuals.

In effect, any information that's displayed on your device's screen can then be stolen.

"Conceptually, it is as if the malicious app was taking a screenshot of screen contents it should not have access to," the Pixnapping site reads.

Researchers tested the Pixnapping attack on Google Pixel 6 through 9 smartphones, as well as the Samsung Galaxy S25, running numerous different versions of the Android mobile operating system, from Android 13 to 16.

While this is certainly concerning news, researchers say that they are unaware of any real-world examples of the exploit being used in the wild. 

The team of cybersecurity researchers informed Google of the Android vulnerability in February. Google released its first patch for Pixnapping last month. However, the researchers discovered a workaround within days, and informed Google once again. Google says it will release an additional Pixnapping patch in its December Android security bulletin.