TLP: CLEAR - [ngCERT SECURITY ADVISORY ON NEW PIXNAPPING ATTACK STEALING 2FA CODES AND SENSITIVE DATA ON ANDROID DEVICES]

Advisory ID:   ngCERT-2025-100006

SUMMARY

ngCERT warns of a new Pixnapping attack that allows malicious Android apps to covertly steal sensitive on-screen data, such as two-factor authentication (2FA) codes, messages, and emails, within seconds. These malicious apps initially gain access through phishing attempts and exploit Android APIs and a hardware side channel that affects nearly all modern Android devices, running versions 13-16. The attackers target banking, cryptocurrency, and social media accounts for data exfiltration, account takeover, financial and privacy losses. Organisations and individuals using Android devices for sensitive communications or SMS-based two-factor authentication (2FA) are at a high risk. Immediate actions, including app updates and vetting, permission restrictions, and adoption of non-SMS 2FA, are critical to mitigate these threats.

Damage:      Critical 

Probability:  High 

Platform(s):  Android Mobile Devices (Google Pixel and Samsung Galaxy S25), Applications Using SMS-Based                            2FA, Messaging Apps

DESCRIPTION

Pixnapping is a sneaky cyberattack that lets hackers steal sensitive information, like two-factor authentication (2FA) codes and private messages, from Android phones by analysing what's displayed on the screen. Disguised as a legitimate app, a malicious app which gained initial access to target phones through phishing attempts, often tricks apps like Google Authenticator or messaging apps into showing data. Afterwards, the malware uses special techniques to "read" the screen pixel by pixel without any permissions, making it hard to spot. By measuring how long it takes to render certain parts of the screen, the app figures out what’s being shown, such as text or numbers and can harvest data, such as 2FA codes, in seconds on devices. This attack, which spreads through fake apps downloaded from untrustworthy sources, poses a serious threat as it bypasses normal security. Although a side channel information disclosure vulnerability in Android, CVE-2025-48561, exploited in the attack has been partially fixed, a complete patch is expected in December 2025.

INDICATOR OF COMPROMISE

The following are observed Indicators of Compromise (IoCs):

1. CVE Exploitation: Presence of CVE-2025-48561 vulnerabilities on unpatched Android 13-16 devices.

2. Suspicious Apps: Apps with no declared permissions but exhibiting overlay or blur behaviours.

3. Behavioural Anomalies: Unusual rendering delays, semi-transparent overlays, or repeated app invocations.

4. Network/Activity Patterns: Anomalous Intent usage or VSync timing measurements in app processes.

5. App Enumeration: Unauthorised detection of installed apps like Authenticator or messaging tools.

6. Device-Specific Signs: Performance issues on Pixel/Samsung devices during sensitive app usage.

CONSEQUENCES

Successful Pixnapping exploitation can result in:

1. Sensitive Data Theft: Extraction of 2FA codes, private messages, emails, and location data, leading to account takeovers.
2. Financial and Privacy Losses: Unauthorised access to banking or payment apps (e.g., Venmo), enabling fraud or blackmail.
3. User Profiling: Detection of installed apps without permissions, aiding targeted attacks or surveillance.
4. Delayed Detection: Stealthy operation hides from users; partial patches can be bypassed, prolonging exposure until full fixes.
5. Broader Impacts: Compromises corporate or personal security, with recovery times averaging 14-25 seconds for 2FA theft on Pixels.

SOLUTION/MITIGATION

ngCERT recommends the following to defend against Pixnapping:

1. Patch Management: Apply Android security updates immediately; install the September 2025 patch for partial mitigation and await the complete fix in December.
2. App Installation Practices: Download apps only from Google Play; avoid side-loading or third-party sources.
3. 2FA Enhancements: Switch to app-based or hardware 2FA (e.g., Authy, YubiKey) over SMS or visible codes.
4. Device Hardening: Enable Google Play Protect, restrict app permissions, and use an antivirus with behavioural analysis.
5. Monitoring: Review app logs for unusual Intent invocations or overlays; employ mobile threat detection tools.
6. Developer Guidance: Limit visible sensitive data; no app-level fixes available yet; monitor Google advisories.
7. Awareness: Educate users on phishing risks leading to malicious app installs.

HYPERLINK

• https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-hackers-pluck-2fa-codes-from-android-phones/
• https://www.pixnapping.com/
• https://www.theregister.com/2025/10/13/android_pixnapping_attack_captures_2fa_codes/
• https://source.android.com/docs/security/bulletin/2025-09-01