Pixnapping: New Android Security Attack Steals Data from Apps and Websites
By
kevcampb
A baker's-dozen of insight crammed into one ring.
Summary
Pixnapping is a new class of Android security attacks that enables malicious apps to stealthily leak information from other apps and websites. The attack exploits Android APIs and a hardware side channel affecting nearly all modern Android devices. Researchers demonstrated successful attacks on Google and Samsung phones, recovering sensitive data from Gmail, Google Accounts, Signal, Google Authenticator, Venmo, and Google Maps. Notably, the attack can steal 2FA codes from Google Authenticator in under 30 seconds while remaining hidden from users.
Key quotes
· 4 pulledPixnapping is a new class of attacks that allows a malicious Android app to stealthily leak information displayed by other Android apps or arbitrary websites.
Pixnapping exploits Android APIs and a hardware side channel that affects nearly all modern Android devices.
We have demonstrated Pixnapping attacks on Google and Samsung phones and end-to-end recovery of sensitive data from websites including Gmail and Google Accounts and apps including Signal, Google Authenticator, Venmo, and Google Maps.
Notably, our attack against Google Authenticator allows any malicious app to steal 2FA codes in under 30 seconds while hiding the attack from the user.
You might also wanna read
Android Lock Screen Bypass via Google Gemini Deep Research Remains Unpatched on Pixel 6a Running Android 16
A security researcher discovered that a previously reported and supposedly patched Android lock screen bypass via Google Gemini's Deep Resea
infosecwriteups.com·2d ago
Security Researchers Discover ChatGPT Vulnerability That Could Extract Sensitive Gmail Data
Security researchers from Radware discovered a vulnerability called 'Shadow Leak' that allowed ChatGPT to be manipulated into extracting sen
The Verge·8mo ago