|

Warning to Android Crypto Users: New ‘Pixnapping’ Attack Can Steal Seed Phrases Directly From Your Screen

Cybersecurity researchers at Carnegie Mellon University have recognized a brand new Android vulnerability that would enable hackers to steal delicate on-screen information, together with crypto pockets seed phrases and two-factor authentication (2FA) codes, with out particular permissions.

The assault, named Pixnapping, targets gadgets from Google and Samsung and makes use of a beforehand recognized GPU side-channel method known as GPU.zip.

The assault begins when a consumer installs a malicious app, which then silently invokes one other utility, reminiscent of a crypto pockets or authentication app, from which it intends to extract information.

Source: Pixnapping research paper

It manipulates graphical operations on particular pixels the place delicate info is often displayed, reconstructing these pixels one after the other by side-channel timing evaluation.

Researchers in contrast this course of to taking unauthorized screenshots of information seen on the display screen.

Pixnapping makes use of Android’s window blur API and VSync callbacks to drive delicate pixels into the rendering pipeline, layering semi-transparent actions to measure how lengthy sure frames take to render.

These timing patterns reveal the colour worth of every pixel, which might then be reconstructed to expose delicate information.

Pixnapping Exploit Targets Screen Pixels to Bypass Android App Isolation

The assault has been efficiently demonstrated on the Google Pixel 6 by Pixel 9 gadgets, in addition to the Samsung Galaxy S25, operating Android variations 13 by 16.

Tests confirmed that the researchers had been in a position to recover 2FA codes from Google Authenticator with success charges between 29% and 73%, relying on the gadget mannequin.

On common, the assault retrieved a full six-digit code in below 30 seconds, quick sufficient to exploit the transient validity interval of most 2FA codes.

The workforce famous that whereas recovering lengthy restoration phrases would take extra time, crypto seed phrases stay extremely susceptible if left seen whereas being written down.

Since these phrases keep on the display screen longer than time-sensitive codes, attackers might probably reconstruct them pixel by pixel if customers usually are not cautious.

The vulnerability, tracked as CVE-2025-48561, was reported to Google in February 2025. A partial patch was issued with September’s Android safety replace, however the researchers stated they discovered a workaround that permits the assault to proceed functioning.

Google has since acknowledged the problem as high severity and confirmed {that a} second repair is being developed, anticipated in December.

In their checks, the researchers had been in a position to extract delicate information not solely from crypto wallets and Google Authenticator but in addition from functions like Gmail, Signal, Venmo, and Google Maps.

Because the exploit targets seen display screen content material moderately than saved recordsdata or permissions, even strict app isolation measures fail to block it.

According to the researchers, Google initially tried to mitigate the flaw by limiting what number of actions an app can blur concurrently, however this proved inadequate. They have additionally alerted Samsung that the patch doesn’t defend its gadgets.

Security experts advise crypto customers to keep away from displaying restoration phrases or 2FA codes on internet-connected gadgets.

Instead, they suggest utilizing {hardware} wallets, which retailer non-public keys and restoration phrases offline, stopping publicity by screen-based assaults like Pixnapping.

Crypto Investors Face Rising Android Malware Threats

A surge in Android-based crypto malware has intensified international cybersecurity considerations, with a number of main incidents surfacing over current months.

In April, researchers uncovered “Crocodilus,” a remote-access trojan focusing on crypto pockets customers in Turkey and Spain. Exposed by ThreatFabric, the malware disguises itself as legit crypto apps, tricking victims into revealing their seed phrases by pretend safety alerts.

Once put in, it abuses Android’s Accessibility Services to steal passwords, intercept two-factor codes, and seize pockets credentials, all whereas masking exercise behind a black-screen overlay.

Security consultants say Crocodilus spreads by a number of channels, together with phishing emails, compromised web sites, and malicious adverts, making it troublesome to hint the unique dropper.

The discovery follows reviews of broader malware campaigns tied to fake AI, gaming, and Web3 startups.

According to cybersecurity agency Darktrace, attackers have constructed convincing on-line presences, full with pretend firm web sites, social profiles, and GitHub repositories, to lure customers into downloading contaminated software program.

The campaigns use malware households reminiscent of Realst and Atomic Stealer, able to exfiltrating pockets information on each Windows and macOS.

Analysts warn that these scams characterize a rising sophistication in crypto-focused assaults, combining social engineering with superior obfuscation and protracted execution strategies.

Cybersecurity consultants advise customers to confirm mission legitimacy, keep away from downloading software program from unverified sources, and stay cautious of unsolicited presents or airdrops, particularly these linked to new “startups” or crypto platforms promising unique entry or rewards.

The submit Warning to Android Crypto Users: New ‘Pixnapping’ Attack Can Steal Seed Phrases Directly From Your Screen appeared first on Cryptonews.

Similar Posts