A newly disclosed Android side-channel named Pixnapping squeezes time-based one-time passwords out of authenticator apps with disconcerting ease, undermining one of the few remaining factors in favor of online account security. The attack, established by a group of US university researchers, captures the six-digit codes in real time with no special permissions, and Google’s premature solution closes it only partially.

What Pixnapping actually does and how it performs

Pixnapping adversaries targeted the ephemeral numeric codes created by apps such as Google Authenticator, which rotated every 30 seconds. Our squad recovered complete 2FA codes in 73% of tests on Pixel 6, 53% on Pixel 7, and 29.05% on Pixel 8 using evidence-based assessments on recent Pixel samples. They stated a mean peak of 14.3 seconds (Pixel 6) to around 25 seconds on newer models. The latter was quick enough to beat the expiration wall.

Table of Contents

What Pixnapping actually does and how it performs
How the Pixnapping side-channel attack works on Android
What users can do right now to reduce their risk
Why this matters for 2FA security and beyond

Guidance for organizations

Pixnapping attack steals Android 2FA codes from compromised phone

The same method was also used to gradually retrieve sensitive on-screen text from other apps. According to one hypothetical example, a Signal communication was exfiltrated in 25–42 hours using a non-optimized strategy. The crew emphasizes that this exposure is not new and is more focused on screen information leakage than 2FA codes.

How the Pixnapping side-channel attack works on Android

Instead of using traditional screenshot or overlay permissions, Pixnapping uses benign graphics behaviors in Android’s rendering pipeline. By stacking semi-transparent UI elements and watching how the system composites pixels, a malicious app can calculate the content underneath one pixel at a time and then combine those inferences into digits. The researchers call this a side-channel because it arises from how Android routes other apps’ activities through shared rendering components, including those initiated by Intents.

Because the proof-of-concept does not require additional permissions, social engineering is a critical barrier to adoption: the attacker has to persuade the target to install and launch a crafted app. Nevertheless, the technical bar is lower than many data exfiltration techniques, although productive exploitation still needs expertise and adjustment to device-specific nuances. The issue is tracked as CVE-2025-48561 and has received a high-severity rating.

Google was notified of the issue early this year and rolled out a partial remedy in the September Android security update. Still, the researchers discovered a usable bypass that enables pixel inference under specific limitations, and they say that the initial mitigation was insufficient on some Samsung devices.

Pixnapping attack steals Android 2FA codes from smartphone screen

Android’s defense-in-depth model usually employs secure screen sharing to prevent this kind of abuse. Pixnapping exposes another area, however: information seepage through legitimate graphic processes. It is difficult to close this gap cleanly through technical measures because radical changes to compositing, blending, or cross-app rendering have the potential to harm important accessibility, overlay, and UI effects. As a result, expect several update iterations as Google and OEMs home in on the side-channel without worsening the user experience.

What users can do right now to reduce their risk

No single toggle neutralizes Pixnapping across all devices today, but layered hygiene cuts risk substantially:

Install updates promptly from Google or your device vendor, including the latest Android security patches.
Avoid sideloading and scrutinize apps, even in official stores; do not grant unnecessary privileges, especially accessibility or overlay capabilities.
Prefer phishing-resistant strong authentication where offered. Hardware security keys and passkeys (FIDO2/WebAuthn) remove the code entry step entirely and are immune to TOTP leakage.
If you must use codes, prefer in-app prompts with number matching or transaction details when services offer them; these substantially reduce the value of a leaked TOTP alone.
Consider locking your authenticator behind a screen requiring biometric or PIN confirmation, so an attacker has less time on screen to infer pixels if they trick you into opening another app.

Why this matters for 2FA security and beyond

Most authenticator apps keep secrets offline and never transmit them over the network, which is why TOTP remains widely recommended by standards bodies and large platforms. Pixnapping doesn’t break the cryptography; it sidesteps it by observing the result as it’s rendered. The same principle could apply to other sensitive on-screen data such as one-time recovery codes, banking OTPs, or even parts of chats and emails.

Security teams at major platforms have long advised migrating high-risk users to phishing-resistant factors. This research adds urgency for mainstream adoption. Organizations should further:

Guidance for organizations

Implement robust support for passkeys and security keys.
Harden mobile device management policies against unvetted apps.
Monitor vendor bulletins from Google, MITRE’s CVE program, and device manufacturers for follow-on mitigation.

As with many side-channels, the takeaway is not panic but posture. The Android ecosystem is already moving to further constrain the leakage pathway, and the attack is local app execution plus environmental discovery. However, Pixnapping is a useful reminder: strong authentication is only as strong as the platform rendering it. The shortest path to resilience is to apply available updates and accelerate the shift to authentication methods that don’t reveal the secret in the first place.