The cybersecurity community is in turmoil over a new concept that's putting pressure on Android users: Pixnapping. This attack, named after a play on words between pixel and hijacking, has proven capable of "seeing" what's painted on your screen and, from there, steal 2FA verification codes and other sensitive data without raising suspicion or asking for outside permission.
What's most striking is its discretion: a seemingly innocent app, installed by the user, can leverage legitimate Android APIs and a hardware side channel to reconstruct what appears on the screen of other apps. In public tests, researchers showed that it's possible. Extract temporary codes like Google Authenticator in less than 30 seconds, and do it in a way that the user doesn't notice anything strange.
What is Pixnapping and why it has set off all the alarm bells
Pixnapping It is a screen spying technique that combines system API calls with physical signals from the device (a hardware side channel) to infer what is being displayed in real time. From a practical point of view, it is enough for the information to be visible on the screen to be able to rebuild it and filter it silently.
The key difference from other mobile scams is that the malicious app doesn't require special permissions. It doesn't request accessibility, it doesn't read notifications, and it doesn't require screenshots. Yet, it manages to observe rendering patterns and "stitch" the information it sees. In plain English: if you see it, the attacker can make a copy without you knowing.
Researchers have validated the attack on recent models: Google Pixel 6, Pixel 7, Pixel 8 and Pixel 9, as well as a Samsung Galaxy S25. And they didn't just stay in theory: they demonstrated data recovery from Gmail, Google accounts, Signal, Google Authenticator, Venmo, and Google Maps, making it clear that the problem is transversal to multiple apps and services.
There's an important caveat: if a secret is never drawn on screen (e.g., a stored but not visible key), Pixnapping can't capture it. The risk is concentrated on what is rendered and visible to the human eye, such as the digits of a TOTP, an SMS message with an OTP, or sensitive data that appears in notifications or windows.
How they steal 2FA codes and other visible data
When you open your authenticator app or receive a one-time code, that content is drawn on the screen. That's where Pixnapping comes in: by observing rendering patterns and signals associated with the drawing process, it can reconstruct what appears and extract it with enough fidelity to Capture a TOTP code or key sent by SMS.
This explains why it works with locally generated codes (TOTP in apps like Google Authenticator) and also with one-time passwords that appear in messages, notifications, or pop-ups. If it's visible, there's an attack surface. Speed ​​matters here: the researchers showed that in less than half a minute, a read and exfiltrate the code without additional user interaction.
However, the scope has natural limits. If an app hides critical assets and doesn't render them (for example, TOTP secrets stored internally without displaying them), there's nothing to "spy" on the canvas. Hence the recommendation to minimize the visual exposure of keys and avoid notifications with sensitive content. be seen on the lock screen.
In technical terms, the use of legitimate APIs makes it more difficult for the system to detect, since high-risk permissions are not abused. And the use of a hardware side channel gives it a silent advantage: you won't see permission pop-ups or special alerts, which makes it easier for the attack to be carried out. go unnoticed by the victim.
Affected models, impacted apps, and patch status
In the published tests, the research team achieved functional attacks on several Google phones (Pixel 6, 7, 8, and 9) and a Samsung Galaxy S25. Although the validations were limited to these devices, the described side channel suggests that most modern Androids could be affected until more significant mitigations are implemented.
In an attempt to stop the vector, Google has distributed a patch identified as CVE-2025-48561. However, the study's authors noted that even with that update installed, Pixnapping continued to work in testing.That is, the first mitigation reduces some of the risk, but it doesn't completely close the door.
The company has indicated that it will publish an additional reinforcement in the December Android security bulletin. Until that second patch arrives and is consolidated among manufacturers, the best defense is user prudence: stay up to date with updates, activate Play Protect, avoid apps outside official stores and be wary of unknown developers.
When it comes to apps, the range is broad: from secure messaging like Signal to authentication managers like Google Authenticator, including Gmail, Venmo, and Google Maps. The common thread is that they display information that, by design, is meant to be visible. That's why the focus should be on reduce visible sensitive content whenever feasible.
Practical mitigations: what you can do today to reduce your risk
While low-level solutions to block side channels are coming, there are habits that help. First, if the service allows it, move from visible codes to phishing-resistant methods: FIDO security keys or push approvals, instead of TOTP that appears on screen for several seconds.
Hide sensitive notifications on the lock screen and disable previews that show codes or message fragments. Minimize the amount of time a TOTP remains visible. At the same time, keep Android updated, prioritize security patches, and leave Play Protect enabled. If you have the slightest doubt about an app, uninstall and scan with your antivirus.
Other useful measures: install from official stores, check the developer's reputation, and read recent reviews. If an app requests permissions that don't make sense for its purpose, that's a bad sign. And of course, don't share codes that arrive via SMS or instant messaging, even if a supposed technician or a known contact asks you to: No one legitimate will ask you for that code..
For web sessions, avoid public Wi-Fi networks when banking, emailing, or shopping; if there's no alternative, use a trusted VPN. Check the HTTPS lock, log out after sensitive tasks, and review connected devices in your accounts. If something doesn't sound familiar, revoke access immediately.
QRLjacking and other QR code scams: Why they work and how to avoid them
The rise of QR codes has brought convenience… and new traps. QR code jacking exploits that trust to sneak in a seemingly legitimate QR code that redirects you to a site controlled by the attacker. On some services, this QR code is used to log in or link a session, so, unwittingly, you hand over your session to the criminal.
A widespread variant is QR Code Jacking: the attacker prints a fake code and pastes it over the real one on parking meters, charging stations, or signs. The website you land on is a fake, requesting your card details, and, bam! you end up on a fraudulent gatewayActual incidents of this type have already been documented in public parking lots.
There's also quishing, emails with QR codes that pretend to come from your bank or the government. They invite you to verify your information or take advantage of an offer. You scan, arrive at a cloned site, and are asked for credentials or other sensitive information. There have even been "innocent" scanning apps on official stores that later turned out to contain malicious behaviors.
How to defend yourself: Check the source before scanning, use a reader that doesn't automatically open links, and examine the physical QR code in case it appears overlaid or printed differently. When in doubt, type the address into your browser instead of following the QR code. In businesses and events, this is a good idea. audit visible codes periodically.
Web session hijacking: same target, different route
When you log in to a website, the server issues a session ID (usually in a cookie) that authenticates you. If an attacker obtains this ID, they can impersonate you. There are several ways: XSS to steal cookies, sniffing on unencrypted networks, session fixation, or man-in-the-browser Trojans that intercept and alter transactions.
Although they are sometimes confused, session hijacking is not the same as session spoofing. In the former, the attacker takes control of an already active user session. In the latter, they create a new session impersonating the user from scratch. In both cases, the consequences can include Identity theft, fraud, and chain access when there is SSO.
Real-life cases have shown everything from video call intrusions to vulnerabilities in large platforms that exposed cookies or tokens in URLs. The defense recipe: be wary of unsolicited links, avoid public networks, use reliable VPNs if there's no alternative, enable MFA on all your services, configure session expiration and review policies and keep your antivirus up to date.
WhatsApp hijacking and identity theft: the 6-digit code scam
A damaging pattern is repeated on WhatsApp: the attacker starts registering your number on another device, the app sends the verification code via SMS to the legitimate phone, and then they contact you impersonating a family member, a friend, or even a supposed attacker. platform technical supportThey ask you for the code "by mistake" or for "verification," and if you give it up, you lose control of the account.
Once inside, they can activate two-step verification to make things more difficult for you, write to your contacts requesting money via Bizum, or spread malicious links. There have been reports of calls with foreign prefixes posing as support staff who "detected an unauthorized login," an alibi that sounds plausible but is intended to tear out that critical code.
To protect yourself: Never share your six-digit code, enable two-step verification in WhatsApp (Settings > Account > Two-Step Verification), and be wary of urgent messages asking you to act immediately. If your account has been stolen, try to recover it by requesting a new code. activate two-step verification instantly.
Also, notify your contacts as soon as possible to break the chain of fraud. Save screenshots and messages as evidence in case you need to file a complaint. In Spain, INCIBE's 017 Hotline can help you in cases of fraud. impersonation and account theft with free advice.
SIM swapping: when your number is transferred to someone else
SIM swapping is a timeless classic. Using personal data obtained through social engineering (or leaks), criminals ask your network provider for a duplicate SIM card. Suddenly, you lose coverage, and when you connect to Wi-Fi, you start seeing alerts about suspicious activity. The goal is to intercept verification SMS and access recovery.
Preventive measures: Set up security properly with your carrier, use MFA that doesn't rely on SMS (FIDO keys or apps with extra protection), monitor notifications of changes to your account, and if you lose coverage unexpectedly, call your carrier immediately. In your online services, check recovery numbers and emails to detect unauthorized modifications.
Fake CAPTCHAs that install malware: the “copy and paste” scam
Another rising tactic abuses fake CAPTCHA verifications. Through ads or redirects, you end up on a page that simulates a security test or a browser error. You're asked to copy a command—for example, from PowerShell—and run it. If you click, you download a Silent malware that steals credentials, cookies, and cryptocurrencies.
These campaigns have claimed tens of thousands of victims in various countries. The prevention measures are clear: if a site asks you to execute commands, close the tab; don't download anything except from completely trusted sources; maintain a reliable antivirus and use a password manager to minimize the damage if an account is compromised. Information and caution reduce the impact of these campaigns.
DNS hijacking: When you type correctly but end up on the attacker's website
DNS hijacking manipulates domain name resolution to take you to a server controlled by the attacker. You type in the correct address, but the DNS response is poisoned, and you end up with a clone that asks for credentials or pushes you to download. malware without you noticing.
Criminals can compromise routers, intercept DNS queries, or modify records on insecure providers. Although sometimes used for censorship purposes, the result for the user is the same: if the record points to the wrong IP, your data is exposed. Use encrypted DNS whenever possible and don't ignore it. invalid certificate alerts.
Quick guide to good practices against pixnapping and related threats
There are common guidelines that can strengthen your security against Pixnapping, malicious QR codes, session hijacking, and messaging fraud. Apply them like a "belt and suspenders" to reduce your attack surface and gain time against new variants. The key is to update, distrust, and minimize exposure.
- Keep Android and apps up to date; prioritize patches that mitigate side channels and screen leaks, and leave Play Protect active.
- Install only from official stores and assess the developer's reputation; if something smells fishy, ​​uninstall it and run an antivirus scan.
- Avoid showing sensitive codes or data; use FIDO keys or push approvals instead of visible TOTP and hide sensitive notifications on the lock screen.
- With QR, distrust by default: Check the physical code, don't open automatic links, and type in the website if you have any doubts.
- Do not share codes via SMS or apps; enable 2FA on everything and call your carrier if you lose coverage for no reason (possible SIM swapping).
- For web sessions: Avoid public networks, use VPN if necessary, verify HTTPS, log out after sensitive tasks, and revoke suspicious devices.
- Report fraud and malicious sites to official channels (e.g. INCIBE/OSI, National Police or Civil Guard) to speed up blockages.
What to do if your account is stolen or impersonated
Take a deep breath and act methodically. First, document everything that happened with screenshots and logs. The more evidence, the better. Then, try to regain access: change passwords, enable MFA, and check emails and recovery numbers in case the attacker has modified them. For services with session management, close all active sessions except the one you are using.
Inform your contacts of what happened to prevent potential scam attempts in your name. Report it through the channels provided by each service (social media, email, messaging), and if there has been damage or risk to your finances or identity, consider filing a report with the National Police or Civil Guard. In Spain, INCIBE's 017 hotline offers you the option to call. specialized and free help.
Frequently Asked Questions about Pixnapping
Which mobile phones are affected? While testing was done on multiple Pixels (6, 7, 8, 9) and a Galaxy S25, the described side channel suggests that most modern Androids could be impacted until deeper mitigations are available at the system and hardware level.
Does the current patch work? Google released CVE-2025-48561 to mitigate the vector, but public testing indicates the attack was still viable. An additional countermeasure was announced in the December Android bulletin; keep your device up to date. reduces the risk, without eliminating it completely at the moment.
Can you steal hidden secrets? No. If the information is never rendered on screen, Pixnapping can't capture it. Reducing the exposure of TOTPs and shortening the screen time helps. lower the probability of theft.
Which apps are in the spotlight? Any app that displays sensitive information. In testing: Gmail, Google accounts, Signal, Google Authenticator, Venmo, and Google Maps. The vector is transversal and affects different types of applications.
The big picture is clear: attackers are going after what we see and what we mindlessly approve. Strengthening authentication with FIDO or push keys, limiting the visibility of sensitive data, and being careful about what we scan or install makes a difference. Until low-level patches mature and are integrated across all manufacturers, combining rapid updates with good digital hygiene habits It is the most effective way to keep risks like Pixnapping and the like at bay.
