Full Report
The malicious app required to make a “Pixnapping” attack work requires no permissions.
Analysis Summary
# Vulnerability: Pixnapping Attack Stealing Screen Content on Android
## CVE Details
- CVE ID: Not explicitly provided in the text. (This appears to be a disclosure of a research finding which may or may not have an assigned CVE yet.)
- CVSS Score: Not explicitly provided in the text.
- CWE: Potentially related to Improper Input Validation or data leakage concerning graphical output side channels.
## Affected Systems
- Products: Google Pixel phones, Samsung Galaxy S25 phone.
- Versions: Android devices generally, mitigated by later Google updates, though a modified attack reportedly bypasses recent mitigations.
- Configurations: Requires a victim to install a malicious application that requires no special permissions.
## Vulnerability Description
The vulnerability, dubbed "Pixnapping," is a side-channel attack that allows a malicious application, once installed on an Android device, to steal visible sensitive data from other running applications. It functions by exploiting the precise timing required for the graphics processing unit (GPU) to render frames onto the screen (similar to the GPU.zip attack).
The attack proceeds in three steps:
1. **Invocation:** The malicious app uses Android APIs (`activities`, `intents`, `tasks`) to prompt a target app (e.g., an authenticator or messaging app) to display sensitive information (like 2FA codes or chat messages). This information enters the Android rendering pipeline.
2. **Pixel Analysis:** The malicious app performs graphical operations on the pixels destined for output, specifically measuring the frame rendering time pixel-by-pixel.
3. **Data Reconstruction:** By analyzing the rendering time, the attacker can determine the color state of specific pixels (e.g., distinguishing between white background and non-white characters/shapes) to reconstruct visible information, such as numbers or letters being displayed. Information must be visible on the screen to be stolen; secrets stored but never displayed are safe.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the capability has been demonstrated by researchers.
- Complexity: Low (requires installation of a seemingly benign app, utilizes standard Android APIs for initiation).
- Attack Vector: Local (requires application installation).
## Impact
- Confidentiality: High (Can steal 2FA codes, chat messages, email content, and other visually displayed secrets).
- Integrity: Low (No direct modification of systems or data).
- Availability: Low (No direct impact on system availability reported).
## Remediation
### Patches
- Google released mitigations last month (relative to the article date), but researchers state a modified version of the attack reportedly bypasses these updates. Specific patch versions are not detailed.
### Workarounds
- The primary workaround is avoiding the installation of unauthorized or untrusted applications.
- Since the attack relies on visual data, any application or platform utilizing hidden secrets not displayed on the screen is inherently safer from this specific mechanism.
## Detection
- Indicators of Compromise: High-frequency or unusual foreground rendering activity originating from an application that should not require such access.
- Detection methods and tools: Difficult to detect as the malicious app requires no explicit permissions, operating by interpreting the timing data from the GPU rendering pipeline. Traditional permission monitoring may fail to flag this threat.
## References
- Vendor advisories: Google released mitigations, but details are scarce.
- Relevant links - defanged:
- Research paper: hxxps://www.pixnapping.com/pixnapping.pdf
- Informational website: hxxps://www.pixnapping.com/