Messages, emails, authentication codes… So much information that your smartphone stores, displays and that can be stolen by hackers through a new type of attack. Its name: Pixnapping. It joins the family of pixel-stealing attacks discovered in 2013. Highlighted by researchers from the universities of California (Berkeley and San Diego), Washington and Carnegie Mellon, it concerns Android smartphones only.
“We have demonstrated pixnapping attacks on Google and Samsung smartphones and end-to-end recovery of sensitive data from websites like Gmail and Google Account, and apps like Signal, Google Authenticator, Venmo, and Google Maps,” they said.
An unauthorized screenshot
The researchers tested their attack on five smartphones running Android 13 to 16, namely the Google Pixel 6, 7, 8 and 9, as well as the Samsung Galaxy S25.
To begin with, the attack requires the victim to install a malicious application on their smartphone, which is not necessarily very complicated for a hacker or cyber attacker to be successful. By not requiring system authorization, you can read the data displayed on the screen by any other installed application, as long as it remains open, even in the background.
It achieves this by targeting the pixels of a smartphone’s screen. Invokes Android APIs that cause the target application to send sensitive information to the device screen. It then causes graphical operations on the individual pixels of interest to the attacker. In the case of Google Authenticator for example, these are the pixels that are part of the area of the screen where a 2FA character is displayed. They will then be stolen through an auxiliary channel.
They also specify that pixnapping against Google Authenticator “allows any malicious application to steal 2FA codes in less than 30 seconds, hiding the attack from the user. An important element to take into account given that double authentication applications change the codes every 30 seconds.”
The researchers don’t know if their method has already been used by hackers or if other smartphones besides the ones they tested are also affected. But they believe that pixnapping using Android APIs and a hardware channel could affect virtually all modern Android devices.
Google has already taken action, starting by implementing a patch that “partially mitigates” the problem in early September, as the company assured Ars Technica. He plans to release another for the flaw in December, although so far he has “not seen any evidence of real-world exploitation.” These two solutions demonstrate the reality of the pixnapping threat, although the Mountain View giant also specifies that, to operate, attackers need to know certain specific information about the device. However, as the researchers point out, this is the first time that a pixel theft attack allows access to secret data stored locally, opening new doors for attackers and expanding the attack surface in the context of a campaign based, for example, on social engineering.
Source: BFM TV
