Academic researchers from several U.S. universities have uncovered a security flaw named "Pixnapping" that enables malicious Android apps to extract sensitive on-screen data without any operating system permissions. This attack has serious implications for Android user security.
How Pixnapping Works
Pixnapping exploits Android's rendering system using a GPU side-channel technique, labeled GPU.zip. Through the manipulation of the window blur API and vertical synchronization callbacks, attackers can cause specific pixel manipulations and measure timing differences to recreate pixel values.
The attack bypasses Android's screenshot detection, allowing attackers to capture visible screen content undetected. Researchers tested the technique on several Pixel models and the Samsung Galaxy S25, achieving variable results.
Device Vulnerability and Mitigations
Tests showed Pixnapping worked with variable reliability on Pixel 6 to 9 devices but failed on the Galaxy S25 due to noise. After the issue was disclosed to Google in February 2023, they rated it with high severity.
Google implemented a mitigation on September 2, 2023, which limited blur operations. Despite this, researchers released a workaround shortly after. A comprehensive patch will be included in December's Android security bulletin. The vulnerability is identified as CVE-2025-48561.
Security Recommendations
Users are advised to ensure their devices remain updated with the latest Android patches. Researchers suggested potential app-level mitigations, such as limiting transparent layering or obscuring sensitive content during such operations. Additionally, the source code for the Pixnapping exploit will be released once comprehensive fixes are in place.
