A new vulnerability named Pixnapping represents a dangerous threat targeting Android devices. It allows malicious apps to intercept sensitive data — such as two-factor authentication (2FA) codes — without needing elevated permissions. The two novel techniques used in this attack case bring together techniques to exploit the Android window blur API. It focuses on vulnerabilities with rendering data leakage. Researches have discovered the methodology required for this exploit is already accessible on every device. This only impacts devices currently running Android versions 13 to 16.
This experiment shows that Pixnapping is possible by anyone with any Android app. This is true even if the app doesn’t request any special permissions in its manifest file. This wide availability leads to legitimate fears of wide-scale abuse. The researchers focused their investigation on five devices from Google and Samsung, confirming that the vulnerabilities could be exploited across a range of popular models.
Understanding Pixnapping
Pixnapping implements its own side-channel named GPU.zip. In a similar vein, an even worse vulnerability was initially disclosed by many of the same researchers back in September 2023. The attack uses a compression feature present in all modern integrated GPUs (iGPUs) to efficiently perform cross-origin pixel stealing attacks. Attackers can obfuscate visual data by injecting Scalable Vector Graphics (SVG) filters through browsers. This enables them to glean private data points from applicants that victims have put in their applications.
The researchers note that Google has not found any bad-faith exploitation of Pixnapping on the Google Play Store. The risk of misuse is still a deep concern. The vulnerability lets an attacker conduct analogs of well-known timing attacks outside of the browser context. IoT malware increases the number of threats Android users could be targeted with.
“Our key observation is that Android APIs enable an attacker to create an analog to Paul Stone-style attacks outside of the browser,” – Researchers
Researchers are focusing attention on how app layering can be used to manipulate mobile environments. They express that the inherent design of mobile applications, which encourages collaboration and multi-actor involvement, makes implementing strict restrictions challenging.
“Like browsers at the beginning, the intentionally collaborative and multi-actor design of mobile app layering makes the obvious restrictions unappealing,” – Researchers
Google’s Response and Mitigation Efforts
In reaction to these discovery, Google went above and beyond by proactively accepting and fixing the Pixnapping vulnerability before it was assigned. Google issued a patch for CVE-2025-48561 in their September Android security bulletin. This fix goes a long way toward mitigating the damage of this new attack vector, which has already been seen in the wild. Google is working on a complete fix that’s intended to close down the vulnerability entirely.
“We issued a patch for CVE-2025-48561 in the September Android security bulletin, which partially mitigates this behavior,” – Google Spokesperson
Besides the four patches above, there’s another patch specifically focusing on the Pixnapping vulnerability which will be released as part of December’s Android security bulletin. This update is intended to add an extra layer of mitigation to what’s already there and keep users safe from future exploits.
Future Considerations
The rise of Pixnapping highlights the new and ongoing cybersecurity threats that mobile device users are currently facing. With the rise of a more capable burglar that uses more advanced attack patterns, the implementation of strong security systems has never been more essential. Here’s researchers’ recommended pragmatic approach to this insidious new hazard. To remedy this, they suggest that sensitive applications be allowed to voluntarily opt-out of some functionality, while preventing the attackers’ measurement abilities.
“App layering is not going away, and layered apps would be useless with a no-third-party-cookies style of restriction,” – Researchers
Implementing strong practices Developers can deter the creation of new attack methods simply by enacting good discipline and practices. Simultaneously, they’re able to protect user experience and application functionality.