A team of academics says it has found a way to rip sensitive onscreen data from Android devices pixel-by-pixel — fast enough to snatch time-based two-factor authentication (2FA) codes in under 30 seconds. The technique, dubbed Pixnapping and reported on by The Hacker News, apparently targets Google and Samsung phones tested on Android 13 through 16, but the authors argue the necessary ingredients exist across the broader Android ecosystem.
How the screen-spying flaw theoretically works
And what it means for users
Pixnapping isn’t another screenshot permission abuse. It’s a side-channel pipeline that abuses how Android layers and processes windows. A malicious app (even with all special permissions disabled) can force “victim” app content into the rendering path via intents, then stack semi-transparent activities and trigger visual effects to leak information about each pixel’s value. Repeat that loop, and you can reconstruct whatever’s on screen, including digits in Google Authenticator, bits of a Google Maps Timeline, or other sensitive UI elements.
That flow isn’t new; it actually builds on GPU.zip, a 2023 disclosure showing that GPU compression behavior can be used for cross-origin pixel theft in browsers. Here, researchers combine that hardware quirk with Android’s window blur API to measure pixel-dependent timing differences and exfiltrate data from non-browser apps. In short: no screenshots, just physics and clever scheduling.
Google has assigned the issue CVE-2025-48561 (CVSS 5.5) and shipped mitigations in the September 2025 Android Security Bulletin, warning that spammy blur requests can both indicate and enable pixel stealing. However, the researchers say there’s already a workaround that re-enables Pixnapping, and Google is working on another fix.
There’s a second headache, too. As a side effect of the technique, an attacker can infer whether an arbitrary app is installed, effectively bypassing Android 11’s restrictions on querying the full app list. Google has reportedly marked that behavior “won’t fix.”
So, what can you do right now? For starters, ensure Play Protect is active, and avoid sideloading sketchy-looking APKs. Overall, be skeptical of apps that insist you open other apps through them, especially if they show odd translucent overlays or blur-heavy transitions.
On the platform side, the researchers recommend letting sensitive apps opt out of compositing tricks and throttling the attacker’s ability to take high-fidelity timing measurements, to make sure these potential attacks remain theoretical. In the meantime, until patches land everywhere, treat unknown apps like they’re standing over your shoulder with a magnifying glass.
