2FA Codes Remain vulnerable to “Pixnapping” Attack on android Despite Patches
A new attack dubbed “Pixnapping” allows hackers to potentially steal two-factor authentication (2FA) codes from Android phones, and while Google has released patches, the vulnerability isn’t fully resolved. Researchers demonstrated the ability to extract 6-digit codes from Google Authenticator by analyzing how the app renders images on the screen.
The attack operates in three stages. First, a malicious app is launched alongside the target app (like Google Authenticator).Second, the malicious app performs graphical operations on individual pixels the target app sends for rendering, determining if a pixel contains data (is non-white) or is blank (white). This is achieved by opening windows in front of the target app and measuring rendering times – longer times indicate a pixel contains information. by meticulously measuring the time taken at each coordinate, the attack reconstructs the images sent to the rendering pipeline, pixel by pixel, revealing the 2FA code.
Researchers optimized the attack to meet the 30-second time limit for valid 2FA codes. They reduced the number of samples taken per pixel to 16 (from 34 or 64 in previous attacks) and decreased the delay between pixel reads to 70 milliseconds. Their implementation waits for the start of a new 30-second interval to maximize available time.
testing on Google Pixel phones yielded varying success rates. the attack successfully recovered full 6-digit 2FA codes in 73% of trials on the Pixel 6, 53% on the Pixel 7, 29% on the Pixel 8, and 53% on the Pixel 9. The average recovery times were 14.3 seconds (Pixel 6), 25.8 seconds (Pixel 7), 24.9 seconds (Pixel 8), and 25.3 seconds (Pixel 9). However, the attack proved unsuccessful on a Samsung Galaxy S25 due to significant interference, and researchers noted further work is needed to adapt the technique for that device.
Google acknowledged the vulnerability, identified as CVE-2025-48561, and released a partial patch in the September android security bulletin. An additional patch is planned for release in the December Android security bulletin. According to a Google representative,there is currently no evidence of this attack being exploited in the wild.
