TLDR
- Pixnapping steals on-screen data by reading pixel colors on Android devices.
- Attack recovered 2FA codes on Pixel 6 to 9 in up to 73% of tests.
- Google rated the issue high severity and is working on a full patch.
- Hardware wallets remain the safest way to store crypto recovery phrases.
A new Android security flaw has raised concerns among users of crypto wallets and authentication apps. Researchers have identified an attack method called “Pixnapping,” which allows malicious applications to reconstruct sensitive on-screen data such as recovery phrases and two-factor authentication (2FA) codes. The discovery indicates that even trusted devices could be at risk of revealing private information through manipulated screen pixels.
How the Pixnapping Attack Works
The Pixnapping method uses Android’s application programming interfaces (APIs) to calculate the color of individual pixels displayed by other applications. Unlike conventional screen capture attacks, the malicious app does not directly access another app’s display.
Instead, it layers semi-transparent activities over the target app, masking all but a chosen pixel. By manipulating that pixel repeatedly, attackers can infer its color and reconstruct visual content from the screen.
Researchers explained that this process involves timing frame renders and scanning one pixel at a time, which enables the malware to rebuild what was shown on screen. Although the attack is slow, it is still capable of capturing information that remains visible for more than a few seconds, such as recovery phrases or long authentication codes.
Risk to Crypto Wallet Recovery Phrases
The research team warned that Pixnapping poses a particular danger to crypto wallet users. Recovery phrases, which provide full access to digital wallets, often stay visible while users write them down. According to the study, the attack successfully retrieved full 6-digit 2FA codes in several tests on Google Pixel devices.
The success rate reached 73% on the Pixel 6, 53% on the Pixel 7, 29% on the Pixel 8, and 53% on the Pixel 9. The average time to recover each 2FA code ranged from 14 to 26 seconds, depending on the device model. While recovering a full 12-word seed phrase would take much longer, the researchers confirmed that it remains possible if the phrase stays displayed.
Google’s Response and Ongoing Coordination
The vulnerability was tested on several devices running Android 13 to 16, including the Google Pixel 6 through Pixel 9 and the Samsung Galaxy S25. Since the attack relies on widely available APIs, the team warned that other Android devices could also be affected.
Google responded by limiting how many activities an app can blur at once. However, the researchers found a workaround that allowed Pixnapping to continue functioning. As of October 13, the researchers said they were still coordinating with Google and Samsung regarding disclosure timelines and security patches.
Google classified the issue as high severity and awarded a bug bounty to the research team. The team also informed Samsung that Google’s initial fix did not fully protect Samsung devices.
Hardware Wallets as a Safer Option
Experts advise users to avoid displaying recovery phrases or sensitive data on Android devices until a complete fix is available. Keeping recovery information offline or using a hardware wallet offers stronger protection.
A hardware wallet is a dedicated device that stores private keys securely and signs transactions without exposing them to connected smartphones or computers. Security researcher Vladimir S emphasized this in a post on X, stating, “Simply don’t use your phone to secure your crypto. Use a hardware wallet!”
Until Android patches the vulnerability, users are urged to exercise caution and avoid keeping recovery or authentication data visible on their screens for extended periods.
