Safety researchers have uncovered a severe Android vulnerability that might expose cryptocurrency pockets seed phrases and two-factor authentication codes.
The assault, named Pixnapping, works by studying what’s displayed in your display screen—pixel by pixel—while not having any particular permissions.
How the Assault Works
Pixnapping exploits weaknesses in how Android shows info in your display screen. A research team from UC Berkeley, Carnegie Mellon, and different universities found that malicious apps can reconstruct delicate information by measuring tiny timing variations in how pixels are rendered.
The assault occurs in three steps. First, a malicious app triggers one other app (like Google Authenticator) to show delicate info. Second, it overlays semi-transparent home windows and makes use of Android’s blur API to govern particular person pixels. Third, it measures rendering occasions by a {hardware} weak point known as GPU.zip to steal pixel values one after the other.
Supply: pixnapping.com
Consider it like taking a screenshot, however as an alternative of capturing the entire display screen without delay, the attacker reconstructs the picture pixel by pixel by measuring how lengthy every one takes to attract. The malicious app doesn’t want display screen recording permissions or notification entry—it merely exploits customary Android options that the majority apps can use.
Actual-World Testing Outcomes
Researchers examined Pixnapping on 5 units: Google Pixel 6, 7, 8, and 9, plus Samsung Galaxy S25. All ran Android variations 13 by 16. The outcomes had been regarding for Pixel homeowners. On Pixel units, the assault efficiently recovered full six-digit 2FA codes in 73% of makes an attempt on Pixel 6, 53% on Pixel 7 and 9, and 29% on Pixel 8. Restoration occasions ranged from 14 to 26 seconds—properly inside the 30-second window that the majority authentication codes stay legitimate.
Apparently, the Samsung Galaxy S25 proved extra resistant. Researchers had been unable to recuperate codes inside 30 seconds on this gadget attributable to noise in its graphics {hardware}. The crew demonstrated profitable information theft from common apps together with Google Authenticator, Sign, Venmo, Gmail, and Google Maps. Any info seen on display screen turns into weak, from non-public messages to location information.
Essential Menace to Crypto Wallets
For cryptocurrency holders, this vulnerability poses a significant danger. Pockets seed phrases—the 12 or 24 phrases that grant full entry to your crypto—are particularly weak as a result of customers usually depart them displayed whereas writing them down for backup.
Whereas stealing a full 12-word phrase takes longer than grabbing a 2FA code, the assault stays efficient if the phrase stays seen. As soon as attackers have your seed phrase, they management your total pockets. No extra passwords or safety measures can cease them from draining your funds.
{Hardware} wallets stay the most secure choice as a result of they by no means show seed phrases on internet-connected units. The non-public keys keep remoted within the {hardware} gadget, signing transactions with out exposing delicate info to your telephone or laptop.
Present Patch Standing
Google realized about Pixnapping in February 2025 and assigned it CVE-2025-48561, ranking it excessive severity. The corporate launched a partial repair in September 2025 by limiting what number of occasions apps can use blur results—a key part of the assault.
Nevertheless, researchers discovered a workaround that bypasses Google’s first patch. Google confirmed it’s going to launch one other replace within the December 2025 safety bulletin to deal with remaining vulnerabilities.
The excellent news: Google reviews no proof of real-world assaults utilizing Pixnapping. Their Play Retailer safety methods haven’t detected any malicious apps exploiting this vulnerability. However the assault stays doable on unpatched units.
Samsung units additionally obtained the September patch. Researchers notified Samsung that Google’s preliminary patch was inadequate to guard Samsung units from the unique assault. Each firms proceed coordinating on extra protections.
Defending Your Property
No particular mitigation exists but for particular person apps to defend in opposition to Pixnapping. The fixes should come from Google and Samsung on the system stage. In the meantime, a number of steps can scale back your danger:
Set up safety updates instantly after they arrive. The December patch ought to considerably enhance safety for suitable units.
Obtain apps solely from Google Play Retailer, avoiding unknown APK recordsdata from web sites or third events. Evaluate what permissions your apps request—although Pixnapping doesn’t want particular permissions, limiting app entry nonetheless improves total safety.
By no means show crypto pockets seed phrases on any internet-connected gadget if doable. Write them down on paper instantly moderately than leaving them on display screen. Higher but, use a hardware wallet for storing vital cryptocurrency holdings.
Take into account the broader safety panorama. This yr has seen major crypto theft, with billions misplaced to varied assaults. Cell safety represents only one vulnerability amongst many.
The Larger Image
Pixnapping reveals elementary weaknesses in how Android handles window layering and graphics rendering. The assault exploits information compression in Mali GPUs utilized by Pixel telephones—compression creates timing variations that leak details about pixel values.
Different Android telephone producers possible face comparable dangers because the crucial mechanisms exist throughout the Android ecosystem. The analysis crew hasn’t examined all manufacturers but, however the core APIs enabling the assault are customary Android options.
The underlying GPU.zip {hardware} vulnerability stays unpatched. No GPU producers have dedicated to fixing the compression timing leak that makes Pixnapping doable.
Researchers will launch their proof-of-concept code on GitHub as soon as patches are extensively out there.
Backside Line
Pixnapping demonstrates that even apps with out suspicious permissions can pose severe threats. For crypto customers, the message is obvious: maintain seed phrases off your telephone. Use {hardware} wallets for severe holdings. Set up updates promptly. And keep in mind that comfort usually conflicts with safety—defending your crypto requires taking further steps that may really feel inconvenient however might prevent from complete loss.
Sven Luiv Sven Luiv Read More
