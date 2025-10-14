Ars Technica reports that Android devices, such as Samsung's S25 phones and Google's Pixel phones, could have their private information, including chat messages, two-factor authentication codes, and location timelines, pilfered in less than 30 seconds through the new Pixnapping attack.

Threat actors could facilitate the compromise through a malicious app invoking Android APIs to call on apps they wish to compomise, with information from such apps channeled to the Android rendering pipeline that renders the apps' pixels, findings from researchers at the University of California, Berkeley, the University of California, San Diego, the University of Washington, and the Carnegie Mellon University, who developed the attack technique, revealed.

Graphical operations selecting the coordinates of targeted pixels and measuring the time necessary for every coordinate are then conducted by Pixnapping before it reconstructs the images delivered to the rendering pipeline. Google, whose partial fix for the issue was found to be inadequate, will be releasing another patch by December.