A new attack called Pixnapping can steal sensitive data from Android devices, without needing a single permission. The exploit targets visual data on-screen, including two-factor authentication codes, private messages, and location histories. It works by quietly measuring how long it takes to render specific pixels. If that sounds like science fiction, it’s not. Researchers have already tested it on Pixel and Samsung devices with unsettling results.
At the heart of Pixnapping is a timing trick. A malicious app opens behind-the-scenes windows to trigger sensitive content, like a 2FA code in Google Authenticator to be rendered by the system. Then it draws over the screen with transparent graphics and records rendering times. That’s enough to tell which pixels are white or colored, which can reveal the content displayed underneath.
The researchers behind Pixnapping demonstrated the attack working in under 30 seconds on Pixel 6 through Pixel 9 devices. That’s just fast enough to steal a full six-digit 2FA code before it refreshes. On average, the attack succeeds more than half the time, though performance drops on newer models. Samsung’s Galaxy S25 proved too noisy for a successful run, at least for now.
What makes Pixnapping different is how little it needs to function. No permissions. No access to other apps. It doesn’t try to hack memory or intercept network traffic. Instead, it exploits how Android draws pixels on the screen, using rendering time as a leak. The method shares roots with GPU.zip, a 2023 technique that let websites spy on other open tabs using similar side-channel tactics.
Google patched the original vulnerability in its September security bulletin, with more fixes planned in December. But the research team says they already have a modified version that works despite the update. That should raise alarms. The exploit cracks open one of Android’s core assumptions, that apps can’t read what’s on each other’s screens.
Still, this isn’t a plug-and-play hack for cybercriminals. Pulling it off requires precise targeting, knowledge of where on the screen key data appears, and minimal background noise. It’s the kind of attack more likely to be refined in labs than used in the wild. But it also shows that the walls between apps on Android aren’t as solid as they should be.
In a statement, Google confirmed it has no evidence of the flaw being used in real-world attacks. That’s cold comfort if you rely on apps like Google Authenticator. Timing attacks are hard to detect, and the damage they cause can happen before you even know something’s wrong.
For now, there’s not much end users can do. This isn’t about malware stealing permissions. It’s about the OS itself leaking visual information. The best defense is to keep your device updated and uninstall anything you don’t fully trust.
