Android Hack Can Steal 2FA Codes in Seconds, Researchers Find

2FA codes have become part of our lives, especially if we want to stay safe.

Now, imagine you open a banking app or view a 2FA code to log in to an online service, and a dangerous app watches your activity. It doesn’t take screenshots, it doesn’t need permissions – It only needs raw access to the pixels you see.

That’s the basics of Pixnapping, a newly discovered Android vulnerability that lets attackers steal data directly from the phone’s screen in under 30 seconds.

From Browser Tricks to Stolen Data

An exfiltration technique using pixels from iframes to steal sensitive data from websites was first explained all the way back in 2013, so the idea is not new. Browsers fixed the problem by adding more restrictions.

The same type of issue appeared again in 2023 with the ‘Hot Pixel’ attack that exploited modern GPUs and SoCs to steal browsing history.

But now, a team from UC Berkeley, UC San Diego, Carnegie Mellon, and the University of Washington has managed to carry out the same kind of attack on Android. On this platform, the same kind of ‘pixel’ attack will target your messages, your locations, and your 2FA codes.

The researchers named this new attack Pixnapping. It targets how Android renders images and transitions between apps. Even if the victim uses trusted apps like Gmail, Signal, Venmo, or Google Authenticator, Pixnapping can intercept visual information without requiring special permissions that other attacks would need.

Stop Believing Your Screen Is Private

Pixnapping is dangerous because it abuses Android’s visual layers.

Attackers create an app that sends “intents” (system-level calls) to open regular apps such as Gmail, Maps, or Signal. It then layers semi-transparent activities on top of them. The layers actually trigger minor GPU rendering changes that eventually leak pixel color information.

With the right timing in their attack, researchers proved they could:

• Recover Google Authenticator 2FA codes in under 30 seconds.
• Read private messages from Signal and Gmail.
• Steal Google Maps Timeline data revealing past locations.

What makes this attack so dangerous is that it doesn’t rely on screenshots or on the user enabling accessibility permissions, which is a much more common hacker path. It simply measures how long it takes your phone to draw each pixel.

How to Protect Yourself from Pixnapping

There is some good news along with the bad. Researchers reported Pixnapping to Google early in 2025, which marked it as “high-severity.” The company has already released security patches for Pixel devices.

Samsung, on the other hand, has acknowledged the issue but marked it as “low-severity” due to hardware complexity. Also, it remains unclear whether Android devices from other manufacturers are susceptible to this attack.

Here’s how to stay safe:

1. Update your Android device immediately. Check for system updates under Settings → Security → Updates.
2. Avoid installing apps from unknown sources. Stick to the official Google Play Store.
3. Use dedicated security solutions. Bitdefender Mobile Security for Android provides a comprehensive suite of tools that can safeguard devices by observing app behavior after installation.
4. Review app permissions and activities. If an app opens another app unexpectedly, uninstall it.

Real Protection Beyond Pixels

Bitdefender Mobile Security is designed to catch advanced threats before they can exploit vulnerabilities.

It continuously monitors your apps for suspicious behaviors – and that includes hidden overlays and unauthorized access.

FAQ: Everything You Need to Know About Pixnapping

1. What is Pixnapping in simple terms?
Pixnapping is a cyberattack that lets hackers read what’s displayed on your Android screen without needing to take screenshots or getting special permissions.

2. Can this attack affect iPhones too?
No. This specific vulnerability exploits Android’s rendering system and doesn’t apply to iOS devices.

3. How fast can Pixnapping steal data?
In lab tests, researchers extracted 6-digit Google Authenticator codes in under 30 seconds.

4. Is a fix available?
Yes. Google patched the vulnerability (CVE-2025-48561) in 2025 for Pixel devices. Unfortunately, it’s likely that each manufacturer must patch their devices individually, and full mitigation also depends on GPU vendors updating their drivers. Make sure your Android phone is fully updated.

5. What can users do until all phones are patched?
Use dedicated security solutions, update devices as soon as patches are released, and avoid installing unknown apps. All of these steps dramatically lower the risk.