A freshly found Android vulnerability makes it possible for harmful applications to gain access to material shown by other apps, possibly jeopardizing crypto wallet healing expressions, two-factor authentication (2FA) codes and more.
According to a current term paper, the “Pixnapping” attack “bypasses all web browser mitigations and can even take tricks from non-browser apps.” This is possible by leveraging Android application shows user interfaces (API) to compute the material of a particular pixel shown by a various application.
This is not as easy as the harmful application asking for and accessing the screen material of another application. Rather, it layers a stack of attacker-controlled, semi-transparent activities to mask all however a selected pixel, then controls that pixel so its color controls the frame.
By duplicating this procedure and timing frame renders, the malware presumes those pixels to rebuild on-screen tricks. This, thankfully, takes some time and restricts the attack’s effectiveness versus material that is not shown for more than a couple of seconds.
Seed expressions in threat
One sort of especially delicate info that tends to remain on screen for a lot longer than a couple of seconds is crypto wallet healing expressions. Those expressions, which enable complete, unattended access to the linked crypto wallets, need users to compose them down for safekeeping. The paper evaluated the attack on 2FA codes on Google Pixel gadgets:
” Our attack properly recuperates the complete 6-digit 2FA code in 73%, 53%, 29%, and 53% of the trials on the Pixel 6, 7, 8, and 9, respectively. The typical time to recuperate each 2FA code is 14.3, 25.8, 24.9, and 25.3 seconds for the Pixel 6, Pixel 7, Pixel 8, and Pixel 9, respectively.”
While a complete 12-word healing expression would take a lot longer to record, the attack stays practical if the user leaves the expression noticeable while composing it down.
Related: UK restores Apple iCloud backdoor push, threatening crypto wallet security
Google’s action
The vulnerability was evaluated on 5 gadgets running Android variations 13 to 16: the Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9 and the Samsung Galaxy S25. The scientists stated the very same attack might deal with other Android gadgets because the made use of APIs are extensively readily available.
Google at first tried to spot the defect by restricting the number of activities an app can blur at the same time. Nevertheless, the scientists stated they discovered a workaround that still makes it possible for Pixnapping to operate.
” Since October 13, we are still collaborating with Google and Samsung concerning disclosure timelines and mitigations.”
According to the paper, Google ranked the problem as high seriousness and dedicated to granting the scientists a bug bounty. The group likewise connected to Samsung to alert that “Google’s spot was inadequate to safeguard Samsung gadgets.”
Related: Finest crypto hardware wallets for 2025
Hardware wallets use safe security
The most apparent option to the problem is to prevent showing healing expressions or any other especially delicate material on Android gadgets. Even much better would be to prevent showing healing info on any internet-capable gadget.
An easy option to attain simply that is to utilize a hardware wallet. A hardware wallet is a devoted crucial management gadget that signs deals externally to a computer system or mobile phone without ever exposing the personal secret or healing expression. As danger scientist Vladimir S put it in an X post on the topic:
” Just do not utilize your phone to protect your crypto. Utilize a hardware wallet!”
Publication: ‘ Assist! My robotic vac is taking my Bitcoin’: When wise gadgets attack