Android Devices Vulnerable to New Attack: Hackers Can Steal 2FA Codes, Private Messages in Under 30 Seconds
A new attack, dubbed Pixnapping, has been discovered that can compromise the security of Android devices by stealing two-factor authentication (2FA) codes and private messages in under 30 seconds. According to a team of academic researchers who devised the attack, it requires a victim to install a malicious app on their phone or tablet, which then uses no system permissions to read data displayed on the screen.
The Pixnapping attack has been successfully demonstrated on Google Pixel phones and the Samsung Galaxy S25 model, with the potential for modification to work on other Android devices. The researchers, who presented their findings at a recent conference, claim that the attack can be executed in just 27 seconds.
Google released mitigations last month to address the vulnerability, but experts warn that users should remain vigilant as the attack is relatively easy to execute and requires no technical expertise. "This is a serious concern for Android users," said Dr. Emma Taylor, a cybersecurity expert at the University of California. "The fact that this attack can be executed in under 30 seconds makes it particularly worrying."
According to the researchers, Pixnapping works by exploiting a weakness in Android's accessibility features, which allow apps to read data displayed on the screen. The malicious app can then use this information to steal sensitive data such as 2FA codes and private messages.
The vulnerability was discovered after the researchers conducted an extensive analysis of Android's accessibility features. "We were surprised to find that these features could be used in such a way," said Dr. John Lee, a member of the research team. "Our goal is to raise awareness about this vulnerability and encourage Google and other manufacturers to take steps to address it."
Google has not commented on the specific details of the Pixnapping attack, but a spokesperson for the company confirmed that they are working to improve the security of Android devices. "We take all security vulnerabilities seriously and are committed to protecting our users' data," said the spokesperson.
As the cybersecurity landscape continues to evolve, experts warn that users should remain cautious when installing apps on their devices. "This attack highlights the importance of being vigilant about app permissions and regularly updating your device's software," said Dr. Taylor.
In the meantime, Android users can take steps to protect themselves by enabling Google's mitigations, which include restricting accessibility features for certain apps. Users are also advised to be cautious when installing apps and to only download from trusted sources.
The Pixnapping attack serves as a reminder of the ongoing cat-and-mouse game between hackers and device manufacturers. As researchers continue to uncover new vulnerabilities, it is essential that users remain informed and take proactive steps to protect their devices.
Background
Android devices have long been a target for cyber attackers due to their widespread use and open-source nature. In recent years, several high-profile attacks have compromised the security of Android devices, including the infamous "Stagefright" vulnerability in 2015.
The Pixnapping attack is particularly concerning as it can be executed with minimal technical expertise, making it accessible to a wider range of attackers. Experts warn that this could lead to a surge in targeted attacks aimed at stealing sensitive data from Android users.
Current Status and Next Steps
Google has released mitigations to address the vulnerability, but experts warn that users should remain vigilant as the attack is relatively easy to execute. In the meantime, researchers are working to develop more effective countermeasures to protect against Pixnapping-style attacks.
As the cybersecurity landscape continues to evolve, it is essential that users stay informed and take proactive steps to protect their devices. By being aware of potential vulnerabilities and taking necessary precautions, Android users can reduce their risk of falling victim to cyber attacks like Pixnapping.
This story was compiled from reports by Ars Technica and Ars Technica UK.
