This post is also available in:
עברית (Hebrew)
A newly published academic study has revealed a high-severity Android vulnerability that allows attackers to extract sensitive on-screen content—including two-factor authentication (2FA) codes and private messages—pixel by pixel, without any special permissions. The attack, dubbed “Pixnapping,” affects nearly all modern Android devices and has been shown to work against apps such as Google Authenticator, Gmail, Signal, and Venmo.
The technique was demonstrated by researchers from the University of California, Berkeley, the University of Washington, and Carnegie Mellon University. According to their tests, Android versions 13 to 16, and devices including Google Pixel 6 through 9 and the Samsung Galaxy S25 are all susceptible.
The exploit requires the user to launch a seemingly benign app, which does not request any permissions. Once running, the app silently opens the target app’s activity—such as the main screen of a 2FA app—without alerting the user. It then begins a covert process of extracting on-screen data by isolating individual pixels through carefully controlled overlays and exploiting differences in GPU rendering times.
Using this approach, the researchers were able to reconstruct sensitive screen content, one pixel at a time. Despite the slow extraction rate—between 0.6 and 2.1 pixels per second—this was enough to recover critical information such as one-time passcodes. Full-screen content, such as an email inbox, took between 10 and 25 hours to reconstruct in testing.
The attack manipulates Android’s “intents” system, which allows apps to communicate and trigger activities in other apps. Pixnapping abuses this by opening sensitive screens under semi-transparent overlays that hide the attack from the user.
Google was informed of the vulnerability and classified it as high severity. An initial patch attempted to limit how often blurring effects could be invoked, but the researchers developed a bypass, which remains under embargo. Google is expected to issue a follow-up fix in the December Android security update.
