by Cybersecurity researchers at Carnegie Mellon University have identified a new Android vulnerability that could allow hackers to steal sensitive on-screen data, including crypto wallet seed phrases and two-factor authentication (2FA) codes, without special permission.
The attack, called Pixnapping, targets Google and Samsung devices and uses a previously known GPU side-channel technique called GPU.zip.
The attack begins when a user installs a malicious app, which then silently calls another application, such as a crypto wallet or authentication app, from which it wants to extract data.
Source: Pixnapping research paper
It manipulates graphics operations on specific pixels where sensitive information is typically displayed, and reconstructs those pixels one by one through side-channel timing analysis.
Researchers compared this process to taking unauthorized screenshots of data visible on the screen.
Pixnapping uses Android’s window blur API and VSync callbacks to force sensitive pixels into the rendering pipeline, layering semi-transparent activities to measure how long it takes to render certain frames.
These timing patterns reveal the color value of each pixel, which can then be reconstructed to reveal sensitive data.
Pixnapping exploits screen pixels to bypass Android app isolation
The attack has been successfully demonstrated on the Google Pixel 6 through Pixel 9 devices, as well as the Samsung Galaxy S25, running Android versions 13 through 16.
Testing showed that the researchers were able to recover 2FA codes from Google Authenticator with success rates between 29% and 73%, depending on the device model.
On average, the attack retrieved a full six-digit code in less than 30 seconds, fast enough to exploit the short validity period of most 2FA codes.
The team noted that while recovering long recovery phrases would take more time, crypto seed phrases remain highly vulnerable if they remain visible while being written.
Because these sentences remain on the screen longer than time-sensitive codes, attackers can reconstruct them pixel by pixel if users are not careful.
The vulnerability, tracked as CVE-2025-48561, was reported to Google in February 2025. A partial patch was released with the September Android security update, but researchers said they found a workaround that allowed the attack to continue functioning.
Google has since acknowledged that the issue is serious and confirmed that a second fix is being developed, expected in December.
In their tests, the researchers were able to extract sensitive data not only from crypto wallets and Google Authenticator, but also from applications such as Gmail, Signal, Venmo and Google Maps.
Because the exploit targets visible screen content rather than saved files or permissions, even strict app isolation measures fail to block it.
According to the researchers, Google initially tried to fix the problem by limiting how many activities an app can blur at the same time, but this proved insufficient. They have also warned Samsung that the patch does not protect its devices.
Security experts advise crypto users to prevent recovery phrases or 2FA codes from appearing on internet-connected devices.
Instead, they recommend using hardware wallets, which store private keys and recovery phrases offline, preventing exposure via screen-based attacks like Pixnapping.
Crypto investors face increasing Android malware threats
A rise in Android-based crypto malware has exacerbated global cybersecurity concerns, with several major incidents coming to light in recent months.
In April, researchers discovered ‘Crocodilus’, a remote access Trojan targeting crypto wallet users in Turkey and Spain. The malware, exposed by ThreatFabric, disguises itself as legitimate crypto apps and tricks victims into revealing their basic phrases via fake security alerts.
Once installed, it abuses Android’s Accessibility Services to steal passwords, intercept two-factor codes, and capture wallet data, while masking the activity behind a black screen overlay.
Security experts say Crocodilus spreads through multiple channels, including phishing emails, compromised websites and malicious advertisements, making it difficult to trace the original dropper.
The discovery follows reports of broader malware campaigns linked to fake AI, gaming and Web3 startups.
According to cybersecurity firm Darktrace, attackers have built a convincing online presence, complete with fake company websites, social profiles and GitHub repositories, to lure users into downloading infected software.
The campaigns use malware families such as Realst and Atomic Stealer, which can exfiltrate wallet data on both Windows and macOS.
Analysts warn that these scams represent an increasing sophistication in crypto-targeted attacks, combining social engineering with sophisticated obfuscation and persistent execution methods.
Cybersecurity experts advise users to verify the legitimacy of projects, avoid downloading software from unverified sources, and remain wary of unsolicited offers or airdrops, especially if these are linked to new “startups” or crypto platforms that promise exclusive access or rewards.
Read original story Warning for Android Crypto Users: New ‘Pixnapping’ Attack Could Steal Seed Phrases Straight from Your Screen By Hassan Shittu on Cryptonews.com
