Your phone's screen might be whispering your secrets — and attackers can listen.
But here's where it gets controversial: a newly described technique called Pixnapping can, in some cases, reconstruct what an app has drawn to the screen — one pixel at a time — allowing a malicious actor to recover things like 2FA codes and private messages. And this is the part most people miss: the attack doesn't need to read the app's memory or exploit a kernel bug — it abuses timing differences in how pixels are rendered. Read on to see how it works and why it raises hard questions about mobile security.
How Pixnapping works (plain-language walkthrough)
The researchers break the attack into clear steps that are easy to understand once you picture the screen as a grid of pixels.
Prepare the target. First, a malicious app gets the victim app to render its screen content — for example, the Google Authenticator app showing a 2FA code — while the attacker-controlled app is ready to run graphical operations.
Probe individual pixels. Pixnapping then performs tiny graphical operations focused on single coordinates from the victim app's rendering pipeline. For each target coordinate (a pixel location that might correspond to a digit in a 2FA display), the attacker checks whether that pixel is white or not. The idea, explained by one of the researchers, is simple: if a pixel sits where a 2FA digit is drawn it will usually be non-white; if nothing is there it will be white. The attacker arranges graphical work that takes noticeably longer to render when the target pixel is non‑white than when it is white, often by opening malicious windows or activities in front of the victim app to influence rendering timing.
Measure timing, reconstruct image. By measuring how long these rendering operations take at each coordinate, the attacker can infer whether each probed pixel is white or non-white. Repeating this across many coordinates — and combining the timing measurements — allows the attacker to rebuild the picture the victim app drew, pixel by pixel.
Timing is everything — and 2FA is time-limited
The researchers emphasize that the speed of the attack matters a lot, especially for stealing one-time 2FA codes that expire every 30 seconds. To meet that tight window they tuned the technique: they cut down the number of timing samples per pixel to 16 (earlier related attacks used 34 or even 64 samples), and they shortened the idle time between successive pixel leaks from 1.5 seconds to just 70 milliseconds. The implementation also synchronizes with the system clock so it starts leaking exactly at the beginning of the 30-second code interval, maximizing the time available to capture and reconstruct the code.
Real-world results (what the researchers actually recovered)
Using their end-to-end implementation on Google Pixel phones, the team attempted to leak 100 different 2FA codes from Google Authenticator on each device. Their success rates for recovering the full 6-digit code were:
- Pixel 6: 73% of trials (average recovery time 14.3 seconds)
- Pixel 7: 53% of trials (average recovery time 25.8 seconds)
- Pixel 8: 29% of trials (average recovery time 24.9 seconds)
- Pixel 9: 53% of trials (average recovery time 25.3 seconds)
They were unable to leak 2FA codes within the 30-second window on a Samsung Galaxy S25 in their tests; the team attributes that failure to high levels of noise on that device and notes that further tuning would be required to make the attack work there.
Why these results matter (and what they don't mean)
The results show that on some hardware and under certain conditions, Pixnapping can practically recover time-sensitive authentication codes fast enough to be useful to an attacker. But there are important caveats: success depends on the device, the level of background noise, exact timing, and how many pixels the attacker needs to probe. In short, it’s not a universal remote that can immediately read any app anywhere — yet it is a new class of side-channel that bypasses many conventional assumptions about app isolation.
Vendor response and mitigation
Google told the researchers (and later confirmed in an email) that they issued a partial fix for this vulnerability under CVE-2025-48561 in the September Android security bulletin. They also said an additional patch addressing the issue would be released in the December Android security bulletin. According to Google, they had not seen evidence of this technique being used in the wild at the time of the statement.
Controversy & comment hooks (what to argue about)
Is issuing patches fast enough? Some will say yes — a responsible vendor response and timely security bulletins are standard and effective. Others will argue that partial mitigations leave a window of risk and that research like this forces us to rethink underlying graphics and compositor designs on mobile OSes. Could mobile graphics pipelines be redesigned to remove these timing differences? Would that hurt performance or battery life? Is it reasonable to expect end users to do anything about this, or is this solely a problem for OS and chipset vendors to solve?
Questions for readers — join the debate
- Do you think operating-system-level fixes are sufficient, or should app developers change how they render sensitive UI elements (for example, by masking or randomizing layouts)?
- Is the risk of timing-based pixel attacks high enough to change how you use 2FA apps on your phone? Would you switch to hardware tokens for critical accounts?
- Would stricter app store policies (blocking apps that open hidden windows or perform suspicious graphical operations) help, or would that stifle legitimate uses?
Tell us what you think — agree, disagree, or add another angle. This kind of tradeoff between performance, usability, and security is where the toughest choices are made.
