If You Have an Android, Read This: Hackers Can See Your Screen–And Steal What's On It
With modern hardware, you might think Android smartphones are harder to compromise. However, cyber threats have evolved, introducing more sophisticated methods to compromise your device. A newly discovered case now shows Android devices being targeted by malware that steals information directly from the screen.
Security researchers from several US universities have detailed an emerging threat in a white paper. It uses pixel-stealing technology and is currently dubbed "Pixnapping." Even more concerning is that it does not require any change in permission levels, making it one of the most dangerous types of malware identified so far.
An App That Reads Your Screen’s Pixels
The threat involves a malicious app that targets Android devices, including Google Pixel and Samsung Galaxy smartphones. It works by reading each pixel on the screen through repeated background screenshots, then reassembling the data into a readable format. This technique can be used to spy on sensitive messages, passwords, and two-factor authentication codes from apps like Google Authenticator.
The research team demonstrated how the attack works. Once the malware app is installed, it begins operating silently in the background. In one example, the app successfully read codes from the Authenticator app without user awareness.
This stolen data is then sent to a remote server controlled by the attackers. From there, they can access accounts and perform further actions, such as changing settings or making purchases in financial and retail apps.
Further testing showed that the effectiveness of the malware varies by device. Newer models are more resistant, but not immune. For instance, the recovery rate of two-factor codes was 53% on the Pixel 9, compared to 73% on the Pixel 6. The time required to extract the codes also differed, with 25.3 seconds on the Pixel 9 and 14.3 seconds on the Pixel 6.
According to the report, although data sharing is typically restricted for apps and websites, a loophole in Android APIs is being exploited by malware to read and interpret pixel data on the screen.
Google Has Not Fully Addressed the Threat
The researchers reported the flaw, labeled CVE-2025-48561, to Google in February. The company issued a partial fix in the September security update, but the patch does not fully resolve the vulnerability. Google has stated that a more comprehensive update is planned.
While we wait for a permanent fix, users can take steps to protect their devices. This includes updating the operating system and apps to the latest versions. It is also advisable to enable built-in protections, avoid installing third-party apps from unknown sources, and regularly review app permissions.
For stronger security, consider using hardware-based two-factor authentication instead of relying solely on software solutions from third-party apps.
What measures do you recommend to keep devices and data safe from these kinds of attacks? We welcome your suggestions in the comment section.
Via: Malwarebytes
