Pixnapping can steal 2FA codes and messages on Android phones: Here’s how you can stay safe

Updated on 14-Oct-2025

HIGHLIGHTS

Pixnapping uses pixel “sniffing” to steal sensitive on-screen info from apps like Gmail, Maps, and Signal.

Researchers showed it works on flagship phones like Pixel 10 and Galaxy S25 Ultra.

Google has issued a partial fix (CVE-2025-48561) and plans further updates; users should patch promptly.

Security researchers have discovered a surprising new way attackers can steal information from Android phones without even letting users know. Called Pixnapping, it can quietly read what’s shown on your screen, including two-factor codes, private messages, or location info, by “sniffing” pixels as apps draw them. A malicious app can ask another app to display specific content.

Pixnapping is a software-and-hardware trick that uses normal Android features plus a tiny timing side-channel in the phone’s graphics system. A malicious app can ask another app to show specific content (for example, open a message thread or an authenticator screen). While that content is being drawn, the attacker probes individual pixel coordinates and measures how long tiny graphics operations take. By repeating this and combining the timing data, the attacker can rebuild images on the screen, one pixel at a time, and read things like 2FA codes or message text.

Researchers from UC Berkeley, UC San Diego, Carnegie Mellon and the University of Washington tested this on high-end phones (Pixel 10, Galaxy S25 Ultra) and showed they could recover protected content from apps such as Gmail, Google Authenticator, Google Maps, Signal and Venmo. In the case of Google Authenticator, Pixnapping can extract a 2FA code in under 30 seconds while staying hidden from the user.

The flaw is tracked as CVE-2025-48561. However, Google has released a partial mitigation in the September 2025 Android security bulletin and plans to follow up with another patch. The researchers have also found some workarounds that can bypass the first fix, but Google reports no evidence so far that Pixnapping has been used in real-world attacks. Still, the report shows how even seemingly private on-screen data can be exposed in unexpected ways.

Also read: Google to invest $15 billion in India for new AI hub and data center, PM Modi hails CEO Sundar Pichai’s announcement

Here’s how you can stay safe.

How to stay safe

For now, the best ways to stay safe are to keep your phone updated and install Android security patches as they arrive, avoid installing apps from unknown sources, and consider stronger 2FA options, like a physical security key or an authenticator on a separate device, for critical accounts.

Himani Jha

Himani Jha is a tech news writer at Digit. Passionate about smartphones and consumer technology, she has contributed to leading publications such as Times Network, Gadgets 360, and Hindustan Times Tech for the past five years. When not immersed in gadgets, she enjoys exploring the vibrant culinary scene, discovering new cafes and restaurants, and indulging in her love for fine literature and timeless music.