Pixnapping is a sophisticated pixel-stealing side-channel attack discovered by academic researchers from multiple US universities, targeting Android devices primarily from Google and Samsung running Android versions 13 through 16. The attack leverages a hardware side-channel vulnerability in integrated GPUs (iGPUs), previously disclosed as GPU.zip, combined with Android's window blur API and intent mechanisms. A malicious app, without requiring any special permissions, can coerce victim app pixels into the rendering pipeline by invoking victim app activities via Android intents. It then overlays a stack of semi-transparent Android activities that apply graphical operations such as blur to these pixels. By measuring the time and color-dependent side effects of these operations, the rogue app can reconstruct the pixel data of sensitive information displayed by the victim app, including 2FA codes from apps like Google Authenticator and location data from Google Maps timelines. This pixel-by-pixel extraction can be completed in under 30 seconds. The attack bypasses browser mitigations and affects non-browser apps, making it particularly dangerous. Google issued patches in the September 2025 Android Security Bulletin addressing the vulnerability (CVE-2025-48561) but acknowledged that certain workarounds can re-enable the exploit. Additionally, the attack enables an unpatched method to enumerate installed apps on the device, circumventing restrictions introduced since Android 11. The attack's feasibility stems from Android's design allowing app layering and inter-app rendering interactions, which complicates straightforward mitigation. The researchers suggest that sensitive apps should be allowed to opt out of such rendering interactions and that measurement capabilities should be restricted to reduce attack viability. Currently, no comprehensive fix is available, and Google is actively working on further mitigations.

For European organizations, the Pixnapping attack poses a significant risk to mobile security, especially for employees and users relying on Android devices from Google and Samsung for accessing corporate resources protected by 2FA. The theft of 2FA codes undermines multi-factor authentication, a critical security control, potentially enabling unauthorized access to corporate accounts, email, VPNs, and cloud services. The ability to covertly steal location data and app usage information also raises privacy concerns and could facilitate targeted espionage or insider threat activities. Since the attack requires installation of a malicious app, social engineering or supply chain compromises could be vectors for infection. The stealthy nature of the attack, requiring no special permissions, makes detection difficult, increasing the risk of prolonged undetected breaches. The partial patching status and existence of workarounds mean that many devices remain vulnerable, especially if updates are delayed or incomplete. This threat could impact sectors with high security requirements such as finance, government, healthcare, and critical infrastructure across Europe, where Android devices are widely used. The ability to bypass app enumeration restrictions also aids attackers in profiling devices for further exploitation.

European organizations should enforce strict mobile device management (MDM) policies to ensure timely installation of Android security updates, particularly the September 2025 security bulletin addressing CVE-2025-48561. They should restrict installation of apps from untrusted sources and implement application allowlisting to prevent rogue apps from being installed. Security awareness training should emphasize risks of installing unknown apps and encourage vigilance against social engineering. Organizations should monitor device behavior for unusual graphical operations or performance anomalies that could indicate side-channel exploitation. Developers of sensitive apps (e.g., authenticators, banking apps) should consider implementing opt-out mechanisms to prevent their app activities from being rendered or blurred by other apps, reducing exposure to pixel stealing. Collaboration with device manufacturers and Google to accelerate patch deployment and address workarounds is critical. Endpoint detection and response (EDR) solutions with mobile capabilities should be tuned to detect suspicious app layering or intent abuse. Finally, organizations should consider multi-factor authentication methods that do not rely solely on on-screen codes, such as hardware tokens or biometric factors, to mitigate the impact of 2FA code theft.