New Android Security Flaw Enables Theft of 2FA Codes Without User Permission

A dangerous new security vulnerability dubbed "Pixnapping" allows malicious Android apps to steal two-factor authentication codes and sensitive data without requiring special permissions. The flaw affects devices from Google and Samsung running Android versions 13 through 16, raising significant concerns about the security of multi-factor authentication systems.

Researchers from multiple prestigious universities, including UC Berkeley and Carnegie Mellon, discovered this side-channel attack that can covertly capture authentication codes in under 30 seconds by exploiting Android's core functionality. The discovery has prompted increased scrutiny of mobile application security standards and practices.

Technical Details of the Vulnerability

The attack leverages Android's window blur API and GPU compression features to steal data pixel-by-pixel from legitimate apps. A malicious app can force victim pixels into the rendering pipeline and compute them using semi-transparent Android activities.

"Our key observation is that Android APIs enable an attacker to create an analog to Stone-style attacks outside of the browser," the research team explained. The attack requires no special permissions, though users must first install and launch the malicious app, similar to how traditional malware infiltrates mobile devices.

Security Impact and Vulnerabilities

The flaw, tracked as CVE-2025-48561, allows unauthorized apps to:

• Steal 2FA codes from authentication apps
• Access Google Maps timeline data
• Determine which apps are installed on a device
• Bypass Android 11's app query restrictions

Google issued an initial patch in September 2025 but researchers discovered a workaround method. A Google spokesperson told The Hacker News: "We are issuing an additional patch for this vulnerability in the December Android security bulletin. We have not seen any evidence of in-the-wild exploitation."

Protective Measures

Security experts recommend implementing these protective measures while awaiting the comprehensive patch:

1. Keep your Android device updated with the latest security patches
2. Only install apps from trusted sources like the Google Play Store
3. Monitor installed apps regularly for suspicious behavior
4. Consider using hardware-based 2FA methods instead of authenticator apps until the vulnerability is fully patched

The discovery of Pixnapping highlights the ongoing challenges in mobile security and the importance of rapid vulnerability patching. Users should remain vigilant about which apps they install and maintain regular security updates to protect sensitive data.

For more technical details about this vulnerability, visit the Android Security Bulletin.