[ad_1]
Android units are weak to a brand new assault that may covertly steal two-factor authentication codes, location timelines, and different non-public knowledge in lower than 30 seconds.
The brand new assault, named Pixnapping by the crew of educational researchers who devised it, requires a sufferer to first set up a malicious app on an Android cellphone or pill. The app, which requires no system permissions, can then successfully learn knowledge that another put in app shows on the display screen. Pixnapping has been demonstrated on Google Pixel telephones and the Samsung Galaxy S25 cellphone and sure might be modified to work on different fashions with extra work. Google launched mitigations final month, however the researchers stated a modified model of the assault works even when the replace is put in.
Like Taking a Screenshot
Pixnapping assaults start with the malicious app invoking Android programming interfaces that trigger the authenticator or different focused apps to ship delicate info to the system display screen. The malicious app then runs graphical operations on particular person pixels of curiosity to the attacker. Pixnapping then exploits a facet channel that enables the malicious app to map the pixels at these coordinates to letters, numbers, or shapes.
“Something that’s seen when the goal app is opened could be stolen by the malicious app utilizing Pixnapping,” the researchers wrote on an informational web site. “Chat messages, 2FA codes, e mail messages, and so forth. are all weak since they’re seen. If an app has secret info that isn’t seen (e.g., it has a secret key that’s saved however by no means proven on the display screen), that info can’t be stolen by Pixnapping.”
The brand new assault class is harking back to GPU.zip, a 2023 assault that allowed malicious web sites to learn the usernames, passwords, and different delicate visible knowledge displayed by different web sites. It labored by exploiting facet channels present in GPUs from all main suppliers. The vulnerabilities that GPU.zip exploited have by no means been fastened. As an alternative, the assault was blocked in browsers by limiting their means to open iframes, an HTML component that enables one web site (within the case of GPU.zip, a malicious one) to embed the contents of a web site from a unique area.
Pixnapping targets the identical facet channel as GPU.zip, particularly the exact period of time it takes for a given body to be rendered on the display screen.
[ad_2]
