Android Vulnerability Exposes 2FA Codes in Under 30 Seconds

Security researchers have revealed a novel Android vulnerability that can silently harvest two-factor authentication (2FA) codes, private messages, and location data from a phone’s display (via ArsTechnica).

The alarming exploit, dubbed ‘Pixnapping,’ works even when the malicious app has no permission requests, and current defenses have not fully blocked it.

Pixnapping exploits a side channel in modern smartphone graphics systems combined with Android APIs. A malicious app triggers a target app (such as a 2FA authenticator or messaging client) to draw sensitive content on screen. While that content is being rendered, the malware overlays a semi-transparent window and measures the time it takes to render individual pixels.

Because the exploit does not require permissions like screen capture or access to notifications, it can stay hidden from users and security tools. Test runs showed that on Google Pixel models (Pixel 6–9), the attackers often recovered six-digit codes in 14 to 26 seconds, well within the typical 30-second window those codes remain valid.

The research team also tested the attack on Samsung’s Galaxy S25. Their first attempt failed due to noise interference, but they believe further refinements will succeed.

Google became aware of this vulnerability and assigned it CVE-2025-48561, ranking it as a serious risk. In its September 2025 Android security bulletin the company introduced mitigation steps intended to restrict part of the behavior. However, researchers found a workaround that revived most of the exploit’s power despite those mitigations.

Google plans to issue another patch in its December security bulletin, but as of now no complete fix exists. The company also notes it has seen no evidence that Pixnapping is being used in real malware campaigns yet.

Because the same underlying graphics and API mechanisms are present across Android devices, researchers warn that other brands beyond Pixel and Samsung could also be vulnerable.