A newly identified vulnerability in Android allows malicious apps to access content displayed by other applications, potentially putting crypto wallet recovery phrases, two-factor authentication (2FA) codes, and more at risk.
A recent research paper outlines the “Pixnapping” attack, which “bypasses all browser mitigations and can even steal secrets from non-browser apps.” This is achievable by using Android application programming interfaces (API) to determine the content of a specific pixel from a different application.
The attack mechanism is not simply the malicious app requesting display content from another app. Rather, it involves layering a series of attacker-controlled, semi-transparent activities that obscure all but a selected pixel, and then manipulating that pixel so its color becomes dominant in the frame.
By repeating this process and synchronizing frame renders, the malware can deduce those pixels to recreate on-screen secrets. Fortunately, this method is time-consuming, which limits its usefulness against content that is only visible for brief moments.
Seed phrases in danger
One category of especially sensitive information that tends to remain visible longer than a few seconds is crypto wallet recovery phrases. These phrases grant full, unrestricted access to the associated crypto wallets and must be noted down for security. The research evaluated the attack on 2FA codes on Google Pixel devices:
“Our attack successfully recovers the entire 6-digit 2FA code in 73%, 53%, 29%, and 53% of trials on the Pixel 6, 7, 8, and 9, respectively. The average time taken to recover each 2FA code is 14.3, 25.8, 24.9, and 25.3 seconds for the Pixel 6, Pixel 7, Pixel 8, and Pixel 9, respectively.“
Although it would take significantly longer to capture a complete 12-word recovery phrase, the attack remains feasible if the user leaves the phrase visible while noting it down.
Related: UK renews Apple iCloud backdoor push, threatening crypto wallet security
Google’s response
The vulnerability was tested on five devices running Android versions 13 to 16: the Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and the Samsung Galaxy S25. Researchers indicated the same attack could be executed on other Android devices, given the APIs being exploited are widely available.
Google initially attempted to remedy the issue by restricting the number of activities an app can blur simultaneously. Nonetheless, researchers found a workaround that enables Pixnapping to persist.
“As of October 13, we are still in talks with Google and Samsung regarding disclosure timelines and mitigations.“
The paper reported that Google classified the issue as high severity and pledged to provide a bug bounty to the researchers. The team also alerted Samsung that “Google’s patch was insufficient to safeguard Samsung devices.”
Related: Best crypto hardware wallets for 2025
Hardware wallets offer safe protection
The most straightforward solution is to avoid displaying recovery phrases or any other highly sensitive information on Android devices. Ideally, users should refrain from showing recovery information on any internet-enabled device.
A practical solution to this issue is to utilize a hardware wallet, a dedicated device for key management that signs transactions externally to a computer or smartphone without ever revealing the private key or recovery phrase. As threat researcher Vladimir S stated in an X post on the topic:
“Simply don’t use your phone to secure your crypto. Use a hardware wallet!“
Magazine: ‘Help! My robot vac is stealing my Bitcoin’: When smart devices attack
