A New Attack Lets Hackers Steal 2-Factor Authentication Codes From Android Phones

Android devices are susceptible to a caller onslaught that tin covertly bargain two-factor authentication codes, location timelines, and different backstage information successful little than 30 seconds.

The caller attack, named Pixnapping by nan squad of world researchers who devised it, requires a unfortunate to first instal a malicious app connected an Android telephone aliases tablet. The app, which requires nary strategy permissions, tin past efficaciously publication information that immoderate different installed app displays connected nan screen. Pixnapping has been demonstrated connected Google Pixel phones and nan Samsung Galaxy S25 telephone and apt could beryllium modified to activity connected different models pinch further work. Google released mitigations past month, but nan researchers said a modified type of nan onslaught useful moreover erstwhile nan update is installed.

Like Taking a Screenshot

Pixnapping attacks statesman pinch nan malicious app invoking Android programming interfaces that origin nan authenticator aliases different targeted apps to nonstop delicate accusation to nan instrumentality screen. The malicious app past runs graphical operations connected individual pixels of liking to nan attacker. Pixnapping past exploits a side channel that allows nan malicious app to representation nan pixels astatine those coordinates to letters, numbers, aliases shapes.

“Anything that is visible erstwhile nan target app is opened tin beryllium stolen by nan malicious app utilizing Pixnapping,” nan researchers wrote connected an informational website. “Chat messages, 2FA codes, email messages, etc. are each susceptible since they are visible. If an app has concealed accusation that is not visible (e.g., it has a concealed cardinal that is stored but ne'er shown connected nan screen), that accusation cannot beryllium stolen by Pixnapping.”

The caller onslaught people is reminiscent of GPU.zip, a 2023 onslaught that allowed malicious websites to publication nan usernames, passwords, and different delicate ocular information displayed by different websites. It worked by exploiting broadside channels recovered successful GPUs from each awesome suppliers. The vulnerabilities that GPU.zip exploited person ne'er been fixed. Instead, nan onslaught was blocked successful browsers by limiting their expertise to unfastened iframes, an HTML constituent that allows 1 website (in nan lawsuit of GPU.zip, a malicious one) to embed nan contents of a tract from a different domain.

Pixnapping targets nan aforesaid broadside transmission arsenic GPU.zip, specifically nan precise magnitude of clip it takes for a fixed framework to beryllium rendered connected nan screen.

“This allows a malicious app to bargain delicate accusation displayed by different apps aliases arbitrary websites, pixel by pixel,” Alan Linghao Wang, lead writer of nan investigation insubstantial “Pixnapping: Bringing Pixel Stealing retired of nan Stone Age,” explained successful an interview. “Conceptually, it is arsenic if nan malicious app was taking a screenshot of surface contents it should not person entree to. Our end-to-end attacks simply measurement nan rendering clip per framework of nan graphical operations to find whether nan pixel was achromatic aliases nonwhite.”

Pixnapping successful 3 Steps

The onslaught occurs successful 3 main steps. In nan first, nan malicious app invokes Android APIs that make calls to nan app nan attacker wants to snoop on. These calls tin besides beryllium utilized to efficaciously scan an infected instrumentality for installed apps of interest. The calls tin further origin nan targeted app to show circumstantial information it has entree to, specified arsenic a connection thread successful a messaging app aliases a 2FA codification for a circumstantial site. This telephone causes nan accusation to beryllium sent to nan Android rendering pipeline, nan strategy that takes each app's pixels truthful they tin beryllium rendered connected nan screen. The Android-specific calls made see activities, intents, and tasks.

In nan 2nd step, Pixnapping performs graphical operations connected individual pixels that nan targeted app sent to nan rendering pipeline. These operations take nan coordinates of target pixels nan app wants to bargain and statesman to cheque if nan colour of those coordinates is achromatic aliases nonwhite or, much generally, if nan colour is c aliases non-c (for an arbitrary colour c).