Executive Summary

A critical new vulnerability, designated Pixnapping (CVE-2025-48561), has been identified in the Android ecosystem, enabling malicious applications to surreptitiously capture sensitive on-screen data such as two-factor authentication (2FA) codes, private messages, and financial information. This attack leverages a sophisticated combination of Android OS features and a GPU hardware side channel, effectively bypassing the traditional sandboxing and permission models that underpin Android security. Proof-of-concept demonstrations have shown that attackers can extract 2FA codes from Google Authenticator in under 30 seconds, with the attack impacting a broad spectrum of modern Android devices, including flagship models from Google and Samsung. The stealthy nature of Pixnapping—requiring no special permissions and leaving no visible trace—elevates the risk profile for both individual and enterprise users. While there are currently no confirmed cases of exploitation in the wild, the technical sophistication and potential impact of this vulnerability demand immediate attention and proactive mitigation.

Threat Actor Profile

There is currently no public attribution of Pixnapping exploitation to any known APT group. No threat intelligence feeds, vendor reports, or open-source intelligence sources have documented active use of this vulnerability by state-sponsored actors, cybercriminal groups, or hacktivist collectives. Nevertheless, the advanced nature of the attack and its potential to compromise high-value targets suggest that it could become a tool of interest for APTs and sophisticated cybercriminals in the near future. Organizations operating in sectors with elevated threat profiles—such as finance, government, and critical infrastructure—should monitor for emerging indicators of compromise and threat actor interest in Pixnapping-style attacks.

Technical Analysis of Malware/TTPs

The Pixnapping vulnerability, tracked as CVE-2025-48561, represents a novel class of side-channel attacks that exploit the intersection of Android’s graphical subsystem and GPU hardware behavior. The attack is executed via a malicious Android application that does not require any special permissions, making it particularly insidious and difficult to detect through conventional security controls.

The attack chain begins with the installation of a seemingly innocuous app by the victim. This app abuses Android’s Intent system and overlay capabilities to position nearly transparent windows atop target applications. By exploiting a GPU hardware side channel—specifically, the way the GPU processes and renders pixel data—the malicious app can infer the color and content of underlying pixels through precise timing analysis. This process, known as pixel timing analysis, allows the attacker to reconstruct sensitive on-screen information, such as 2FA codes displayed by Google Authenticator, private messages in Signal, financial data in Venmo, emails in Gmail, and even location data in Google Maps.

The technical core of Pixnapping lies in its exploitation of the GPU’s rendering pipeline. When a transparent overlay is placed over a target app, the GPU must composite the overlay and the underlying window. By measuring the time it takes for the GPU to render specific pixel patterns—timing that varies subtly based on the color and content of the underlying pixels—the attacker can deduce the information being displayed. This side channel is hardware-dependent but has been demonstrated on a range of devices, including Google Pixel 6–9 and Samsung Galaxy S25, running Android 13 through Android 16.

The attack does not require the target application to be in the foreground; as long as the malicious app can create overlays, it can harvest data from background apps. Data exfiltration is achieved by transmitting the reconstructed information to a remote command-and-control (C2) server controlled by the attacker. The entire process is highly automated and can be executed in under 30 seconds for 2FA code extraction, as demonstrated in public research.

From a detection standpoint, Pixnapping is challenging to identify. The malicious app does not request suspicious permissions, and its use of overlays is not inherently malicious within the Android security model. Traditional endpoint security solutions may not flag such behavior, especially if the app is distributed through legitimate channels or obfuscated to evade static analysis.

The attack has been mapped to several MITRE ATT&CK techniques, including T1055 (Process Injection) for overlaying windows, T1010 (Application Window Discovery) for targeting sensitive app windows, T1204 (User Execution) for requiring user installation, and T1140 (Deobfuscate/Decode Files or Information) for the timing analysis used to reconstruct pixel data.

Exploitation in the Wild

As of October 2025, there are no confirmed reports of Pixnapping being exploited in the wild by advanced persistent threat (APT) groups or criminal malware campaigns. The technical complexity of the attack—requiring deep expertise in Android internals, GPU hardware, and side-channel analysis—has likely limited its adoption to highly skilled threat actors. The research team responsible for the discovery has withheld public release of proof-of-concept code until effective patches are available, reducing the immediate risk of widespread exploitation. However, the publication of detailed technical analyses and the eventual release of PoC code may lower the barrier to entry for less sophisticated actors in the future. Organizations and individuals should remain vigilant, as the attack’s stealthy nature and high impact make it an attractive vector for targeted attacks once weaponized.

Victimology and Targeting

The Pixnapping vulnerability affects a broad range of Android devices and OS versions. Confirmed affected devices include Google Pixel 6, Pixel 7, Pixel 8, Pixel 9, and Samsung Galaxy S25. The underlying vulnerability is present in Android 13, Android 14, Android 15, and Android 16. Other devices running these Android versions are likely susceptible, given the generic nature of the GPU side channel and overlay abuse. The attack targets applications that display sensitive information on-screen, including but not limited to Google Authenticator, Signal, Venmo, Gmail, Google Maps, and Google Accounts. The vulnerability was disclosed to Google and Samsung in February 2025. As of October 2025, only partial mitigations have been released by Google, with a comprehensive fix still pending.

Mitigation and Countermeasures

Mitigating the risk posed by Pixnapping requires a multi-layered approach, combining technical controls, user awareness, and ongoing vigilance. Users and organizations should ensure that all Android devices are updated with the latest security patches from Google and device manufacturers. While a full fix is not yet available, partial mitigations may reduce the attack surface. Users should practice strict app hygiene by installing applications only from trusted sources such as Google Play and avoiding sideloading APKs from unverified origins. Regularly auditing installed apps and their permissions is essential; any app exhibiting overlay behavior without a clear justification should be scrutinized and, if necessary, removed. Organizations should monitor for unusual network traffic patterns, particularly outbound connections to unfamiliar C2 servers following the installation of new apps. For critical accounts, the adoption of hardware-based 2FA tokens, such as YubiKey, is strongly recommended, as these are immune to on-screen data harvesting attacks. Security teams should stay informed about further updates from Google and Samsung regarding comprehensive remediation and be prepared to deploy patches as soon as they become available.

References

Malwarebytes, “Pixel-stealing ‘Pixnapping’ attack targets Android devices,” October 14, 2025. https://www.malwarebytes.com/blog/news/2025/10/pixel-stealing-pixnapping-attack-targets-android-devices

Carnegie Mellon CyLab, “Researchers uncover ‘Pixnapping,’ a new class of Android attacks,” October 13, 2025. https://www.cylab.cmu.edu/news/2025/10/13-pixnapping.html

Bitdefender, “Android Hack Can Steal 2FA Codes in Seconds, Researchers Find.” https://www.bitdefender.com/en-us/blog/hotforsecurity/android-attach-2fa-hack-pixel-pixnapping

Dark Reading, “Pixnapping Attack Lets Attackers Steal 2FA on Android.” https://www.darkreading.com/vulnerabilities-threats/pixnapping-attack-attackers-2fa-android

NVD, CVE-2025-48561. https://nvd.nist.gov/vuln/detail/CVE-2025-48561

Android Security Bulletin—September 2025. https://source.android.com/security/bulletin/2025-09-01

About Rescana

Rescana is committed to empowering organizations with actionable threat intelligence and robust third-party risk management. Our TPRM platform enables you to continuously monitor, assess, and mitigate cyber risks across your digital supply chain, ensuring that emerging threats like Pixnapping are identified and addressed before they can impact your business. We are dedicated to providing timely advisories, technical guidance, and support to help you navigate the evolving threat landscape. If you have any questions about this advisory or require further assistance, please contact us at ops@rescana.com.