Full Report
Android devices from Google and Samsung have been found vulnerable to a side-channel attack that could be exploited to covertly steal two-factor authentication (2FA) codes, Google Maps timelines, and other sensitive data without the users' knowledge pixel-by-pixel. The attack has been codenamed Pixnapping by a group of academics from the University of California (Berkeley), University of
Analysis Summary
# Vulnerability: Pixnapping Side-Channel Attack Allows Rogue Android Apps to Steal 2FA Codes
## CVE Details
- CVE ID: CVE-2025-48561
- CVSS Score: 5.5 (Medium)
- CWE: Not specified in the context. (Likely CWE-200: Exposure of Sensitive Information to an Unauthorized Actor based on description)
## Affected Systems
- Products: Android devices (Google and Samsung specified, methodology applicable to most Android devices)
- Versions: Android versions 13 through 16 (as tested)
- Configurations: Any device running a susceptible version where a malicious app is installed and launched by the user.
## Vulnerability Description
Pixnapping is a side-channel attack framework targeting Android devices that allows a malicious, unprivileged application to covertly steal sensitive information, such as 2FA codes (e.g., from Google Authenticator) and Google Maps timeline data, pixel-by-pixel. The attack bypasses standard browser mitigations.
The flaw leverages a combination of three factors:
1. **Android Intents:** A malicious app sends Android intents to invoke activities from a target application containing sensitive data.
2. **Pixel Rendering Manipulation:** The rogue app forces victim pixels into the rendering pipeline and induces graphical operations (like the window blur API) on those pixels using overlayed, semi-transparent Android activities.
3. **Hardware Side-Channel Dependency:** The attack relies on a hardware side-channel mechanism, specifically linked to the **GPU.zip** compression feature in modern integrated GPUs, allowing the attacker to measure color-dependent side effects of these graphical operations on the rendered pixels.
By repeatedly sending target pixels through the pipeline, the attacker can reconstruct the pixel data, including 2FA codes, in under 30 seconds.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC capability is demonstrated by researchers.
- Complexity: Low (The attack does not require special OS permissions as it leverages existing Android APIs via intents).
- Attack Vector: Network (via installation of malicious app) / Local (execution on device).
## Impact
- Confidentiality: High (Sensitive data like 2FA codes can be stolen).
- Integrity: Low (No direct data modification mentioned).
- Availability: Low (No direct service disruption mentioned).
## Remediation
### Patches
- Patches were issued by Google as part of the **September 2025 Android Security Bulletin**. Users should apply all available security updates provided by their device manufacturers (e.g., Google or Samsung) corresponding to this bulletin.
### Workarounds
- No specific workarounds were mentioned in the provided text, but typically, this involves avoiding the installation of untrusted applications.
## Detection
- **Indicators of Compromise (IoCs):** The description focuses on the method rather than runtime IoCs, but potential detection signatures could involve monitoring for unusual patterns of rendering API calls combined with rapid intent usage between unrelated system components or high power/GPU usage during application switching/display events.
- **Detection Methods and Tools:** The research paper (linked via pixnapping.com) is the primary source for understanding the attack mechanics, which defenders can use to build application monitoring tools aware of this side-channel technique.
## References
- Vendor Advisories: Google September 2025 Android Security Bulletin
- Relevant Links:
- Research Paper/Website: hxxps://www.pixnapping.com/
- Related Side-Channel Research: hxxps://thehackernews.com/2023/09/researchers-uncover-new-gpu-side.html