Within the second step, Pixnapping performs graphical operations on particular person pixels that the focused app despatched to the rendering pipeline. These operations select the coordinates of goal pixels the app needs to steal and start to examine if the colour of these coordinates is white or non-white.
“Suppose, for instance, [the attacker] needs to steal a pixel that’s a part of the display area the place a 2FA character is thought to be rendered by Google Authenticator,” Wang mentioned. “This pixel is both white (if nothing was rendered there) or non-white (if a part of a 2FA digit was rendered there). Then, conceptually, the attacker needs to trigger some graphical operations whose rendering time is lengthy if the goal sufferer pixel is non-white and brief whether it is white. The malicious app does this by opening some malicious actions (i.e., home windows) in entrance of the sufferer app that was opened in Step 1.”
The third step measures the period of time required at every coordinate. By combining the occasions for each, the assault can rebuild the pictures despatched to the rendering pipeline one pixel at a time.
The period of time required to carry out the assault is determined by a number of variables, together with what number of coordinates have to be measured. In some circumstances, there’s no arduous deadline for acquiring the knowledge the attacker needs to steal. In different circumstances—equivalent to stealing a 2FA code—each second counts, since each is legitimate for under 30 seconds. Within the paper, the researchers defined:
To fulfill the strict 30-second deadline for the assault, we additionally cut back the variety of samples per goal pixel to 16 (in comparison with the 34 or 64 utilized in earlier assaults) and reduce the idle time between pixel leaks from 1.5 seconds to 70 milliseconds. To make sure that the attacker has the complete 30 seconds to leak the 2FA code, our implementation waits for the start of a brand new 30-second world time interval, decided utilizing the system clock.
… We use our end-to-end assault to leak 100 completely different 2FA codes from Google Authenticator on every of our Google Pixel telephones. Our assault accurately recovers the complete 6-digit 2FA code in 73%, 53%, 29%, and 53% of the trials on the Pixel 6, 7, 8, and 9, respectively. The typical time to recuperate every 2FA code is 14.3, 25.8, 24.9, and 25.3 seconds for the Pixel 6, Pixel 7, Pixel 8, and Pixel 9, respectively. We’re unable to leak 2FA codes inside 30 seconds utilizing our implementation on the Samsung Galaxy S25 machine as a result of vital noise. We go away additional investigation of the way to tune our assault to work on this machine to future work.
In an e-mail, a Google consultant wrote, “We issued a patch for CVE-2025-48561 within the September Android safety bulletin, which partially mitigates this conduct. We’re issuing a further patch for this vulnerability within the December Android safety bulletin. We’ve not seen any proof of in-the-wild exploitation.”
