At the 2025 ACM Conference on Computer and Communications Security, a research team hailing from the University of California, Berkeley, unveiled a groundbreaking new attack method targeting Android devices, dubbed "Pixnapping". This insidious attack coerces users into installing malicious apps, which then proceed to pilfer sensitive information displayed on the screen. This includes two-factor authentication (2FA) codes, chat histories, emails, and even location timelines, all without the need for system-level permissions. The attack leverages a side-channel vulnerability present in GPU rendering data, reconstructing screen images by meticulously measuring the discrepancies in pixel rendering times.

Experimental results have shown that on Google Pixel series phones, this attack can successfully steal a complete 6-digit 2FA code within an average timeframe of 14 to 26 seconds, boasting success rates ranging from 29% to a staggering 73%. In response to this looming threat, Google has already implemented partial mitigation measures in its September security bulletin and has outlined plans to roll out a comprehensive patch in December.