Pixnapping Attack Hijacks Google Authenticator 2FA Codes in Under 30 Seconds

Security researchers have unveiled a sophisticated new attack technique dubbed “Pixnapping” that can extract two-factor authentication codes from Google Authenticator and other sensitive mobile applications in under 30 seconds.

Pixnapping leverages fundamental features of Android’s graphics rendering system to create a side-channel attack that steals pixel data from victim applications.

Unlike traditional browser-based pixel-stealing attacks that rely on embedding websites in iframes, this new technique uses Android intents to launch victim applications and layers semi-transparent attacker-controlled activities on top of them.

The vulnerability, tracked as CVE-2025-48561, represents a significant evolution in pixel-stealing attacks that bypasses modern browser security protections and threatens Android users across multiple device manufacturers.

The attack exploits how Android’s SurfaceFlinger service composites multiple windows together, allowing malicious apps to isolate, enlarge, and extract individual pixels from victim applications through carefully orchestrated blur operations and timing measurements.

The framework operates in three primary ...