A newly discovered Android vulnerability could allow malicious applications to access content displayed by other apps, potentially compromising crypto wallet recovery phrases, two-factor authentication (2FA) codes, and more.
According to a recent research paper, “Pixnapping” attacks “can bypass all browser mitigations and even steal secrets from non-browser apps.” This is possible by leveraging Android application programming interfaces (APIs) to calculate the content of a particular pixel that is displayed by another application.
This is not as simple as a malicious application requesting and accessing another application’s display content. Instead, it overlays a stack of attacker-controlled translucent activities that mask everything but the selected pixel and manipulates that pixel so that its color predominates in the frame.
By repeating this process and timing frame rendering, the malware can infer those pixels and reconstruct the secrets on the screen. Fortunately, this takes time and limits the effectiveness of attacks against content that is not visible for more than a few seconds.
Visual representation of pixnapping. sauce: Research paper on pixnapping
Seed phrases at risk
One particularly sensitive piece of information that tends to stay on screen for much longer than a few seconds is your cryptocurrency wallet’s recovery phrase. These phrases grant full and unrestricted access to the connected cryptocurrency wallet and users must write them down for safekeeping. In this paper, we tested an attack against the 2FA code on Google Pixel devices.
“Our attack successfully recovered the full 6-digit 2FA code in 73%, 53%, 29%, and 53% of tests on Pixel 6, Pixel 7, Pixel 8, and Pixel 9, respectively.The average time to recover each 2FA code was 9 respectively. ”
Although it takes longer to capture the full 12-word recovery phrase, the attack is still viable if the user leaves the phrase visible while writing it down.
Related: UK updates Apple iCloud backdoor push that threatens crypto wallet security
Google’s response
This vulnerability was tested on five devices running Android versions 13 to 16: Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and Samsung Galaxy S25. Researchers believe the same attack could work on other Android devices as the exploited API is widely available.
Google initially tried to fix the flaw by limiting the number of activities an app could blur at once. However, researchers said they have found a workaround that allows Pixnapping to continue working.
“As of October 13, we are coordinating with Google and Samsung regarding disclosure schedules and mitigation measures.”
According to the paper, Google has rated the issue as high severity and has promised to award researchers a bug bounty. The team also contacted Samsung and warned that “Google’s patch was not sufficient to protect Samsung devices.”
Related: Best Crypto Hardware Wallets of 2025
Hardware wallets provide secure protection
The most obvious solution to this problem is to prevent your Android device from displaying recovery phrases or other particularly sensitive content. Even better, it doesn’t display recovery information at all on internet-enabled devices.
A simple solution to achieve that is to use a hardware wallet. A hardware wallet is a dedicated key management device that signs transactions outside of your computer or smartphone without exposing your private keys or recovery phrase. Threat researcher Vladimir S. said in an X post on the subject:
“Don’t use your phone to secure your cryptocurrencies. Use a hardware wallet.”
magazine: ‘Help! My robot vacuum is stealing my Bitcoin: when a smart device attacks
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
