The Weekly Breach Breakdown: The Stolen Goods – Pixnapping Attacks Target Android Devices

Summary  

• A new class of Android attacks, known as pixnapping, has been uncovered by researchers from the University of California, Berkeley, the University of California, San Diego, the University of Washington and Carnegie Mellon University.  
• These attacks can steal sensitive information — including multifactor authentication (MFA) codes, emails and messages — from apps like Google Authenticator, Venmo, Signal and Gmail. 
• Pixnapping attacks belong to a broader category of “pixel stealing” attacks, where malicious apps capture what’s displayed on a user’s screen. The attack can occur in under 30 seconds and remain completely hidden from the victim. 
• Google released a patch in September to partially address the pixnapping attacks. However, researchers later discovered a workaround. A more complete fix is expected in the December Android security update, and Google has reported no evidence of exploitation to date. 
• If you are an Android user, ensure your devices are up to date with all security updates for the best possible protection. 
• If you want to know more about how to protect your business or personal information, or think you have been the victim of identity theft, fraud or a scam, you can speak with an expert ITRC advisor by phone or text at 888.400.5530 or live chat on our company website. Visit www.idtheftcenter.org to get started. 

Full Transcript 

Welcome to the Identity Theft Resource Center’s (ITRC’s) Weekly Breach Breakdown for October 24, 2025. I’m Tatiana Cuadras, Communications Assistant for the ITRC. Thanks to Sentilink for supporting the ITRC and this podcast. Each week, we look at the most recent events and trends related to data security and privacy. Today, we will discuss pixnapping attacks. Never heard of it? Well, let us tell you. 

A team of researchers at the University of California, Berkeley, the University of California, San Diego, the University of Washington and Carnegie Mellon University recently uncovered a new class of Android attacks that can steal sensitive information like multifactor authentication (MFA) credentials displayed by other apps and websites.  

The researchers were able to demonstrate the attack on Google and Samsung phones. They have managed “end-to-end recovery of sensitive data from websites, including Gmail and Google Accounts and apps, including Signal, Google Authenticator, Venmo and Google Maps. According to the researchers’ dedicated website on pixnapping attacks, their attack against Google Authenticator allows any malicious app to steal MFA codes in under 30 seconds while hiding the attack from the user.  

How do pixnapping attacks work? It impacts nearly all modern Android devices and belongs to a larger and older genre of attack known as “pixel stealing”. Pixel stealing is where a source can determine how a pixel is displayed to a user through a channel. In the case of the researchers’ study, malicious code is installed on an app that the user opens. Anything visible to the user while the app is open can be stolen. This includes authentication codes, messages, emails and much more.  

Why do pixnapping attacks matter? According to the researchers, Google released a patch in early September. However, the researchers were able to find a workaround. In a statement to Dark Reading, Google said the September patch partially mitigates, but that they are issuing an additional patch for the vulnerability in the December Android security bulletin. The good news is that Google has not seen any evidence of exploitation. Google adds that exploiting the vulnerability requires specific data about the target device and that malicious applications exploiting the vulnerability have not yet been found on Google Play. 

According to Dark Reading, on its face, pixnapping attacks do not appear to be the kind of attack that changes how threat actors target Android devices. Exploitation seems to be complicated. With that said, it is just another option for the bad actors to get data as part of social engineering. 

How can you protect yourself from pixnapping attacks? While that answer is not yet clear for app developers, researchers say that, for Android users, it starts by ensuring they are up to date on all security updates on their Android devices. So, if you have any Android devices, check for updates once you are done listening to this podcast! 

Regardless of what happens with pixnapping attacks, the ITRC is here to help you and be a resource. If you want to know more about how to protect your business or personal information or think you have been the victim of identity theft, fraud or a scam, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started. 

Thanks again to Sentilink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to your podcasts.  

Next Tuesday, October 28, we will release our 2025 Consumer Impact Report, which goes beyond the basic financial implications of identity crimes to explore the lost opportunities and the emotional and physical impacts experienced by victims. Next Friday, October 31, we will have a special episode of our sister podcast, the Fraudian Slip, where ITRC CEO Eva Velasquez will break down all of the findings and what they mean.  

We will return in two weeks with another episode of the Weekly Breach Breakdown. I’m Tatiana Cuadras. Until then, thanks for listening.