A recently discovered Android vulnerability allows malicious apps to access content from other apps, posing risks to crypto wallet recovery phrases, two-factor authentication (2FA) codes, and more.
Recent research paper describes the “Pixnapping” attack, which “bypasses all browser mitigations and can even steal secrets from non-browser apps.” This is accomplished by using Android application programming interfaces (APIs) to calculate the content of a specific pixel displayed by another application.
This is not merely the malicious app requesting and accessing another app’s display content. Instead, it involves layering a series of attacker-controlled, semi-transparent activities to obscure everything except a specific pixel, then adjusting that pixel’s color to dominate the rendered frame.
By continuously repeating this process and timing frame renders, the malware can infer those pixels to reconstruct on-screen secrets. Thankfully, this method takes time and limits the attack’s effectiveness against content displayed for short durations.
Seed phrases at risk
One particularly sensitive piece of information that remains on-screen longer than just a few seconds is the crypto wallet recovery phrase. These phrases provide full, unchecked access to associated crypto wallets and must be noted down for safekeeping. The paper evaluated the attack on 2FA codes on Google Pixel devices:
“Our attack successfully recovers the complete 6-digit 2FA code in 73%, 53%, 29%, and 53% of trials on the Pixel 6, 7, 8, and 9, respectively. The average time taken to recover each 2FA code is 14.3, 25.8, 24.9, and 25.3 seconds for the Pixel 6, Pixel 7, Pixel 8, and Pixel 9, respectively.”
While capturing a complete 12-word recovery phrase would take significantly more time, the attack remains practical if the user keeps the phrase visible while noting it down.
Related: UK renews Apple iCloud backdoor push, threatening crypto wallet security
Google’s reaction
The vulnerability was assessed on five devices running Android versions 13 to 16: the Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and the Samsung Galaxy S25. The researchers stated that the same attack could be effective on other Android devices, given the widespread availability of the exploited APIs.
Google initially attempted to fix the issue by limiting the number of activities an app can blur simultaneously. However, researchers found a workaround that still allows Pixnapping to operate.
“As of October 13, we continue to coordinate with Google and Samsung regarding disclosure timelines and possible mitigations.”
According to the paper, Google classified the issue as high severity and pledged to award the researchers a bug bounty. The team also contacted Samsung to inform them that “Google’s patch was not sufficient to safeguard Samsung devices.”
Related: Best crypto hardware wallets for 2025
Hardware wallets provide secure protection
The simplest solution to this problem is to avoid displaying recovery phrases or other sensitive content on Android devices. Even better is to refrain from showing recovery information on any internet-capable device.
A straightforward solution to achieve this is to use a hardware wallet. A hardware wallet is a dedicated key management device that signs transactions externally from a computer or smartphone without ever revealing the private key or recovery phrase. As threat researcher Vladimir S noted in an X post on the topic:
“Simply avoid using your phone to secure your crypto. Use a hardware wallet!”
Magazine: ‘Help! My robot vac is stealing my Bitcoin’: When smart devices attack
