A new Android vulnerability, called Pixnapping, allows malicious applications to steal sensitive data from the screen in less than 30 seconds, without special permissions.

Researchers have discovered a serious vulnerability in Android, called Pixnapping, which allows malicious applications to quickly steal sensitive data from the screen, such as Google Authenticator codes, Signal messages, and Venmo financial information. Pixnapping bypasses the Android permission model, capturing anything visible on the screen without requiring special permissions. The attack manipulates the Android rendering system to extract data pixel by pixel, using advanced optical character recognition (OCR) techniques. The vulnerability is related to a graphics processing unit (GPU) side-channel issue, named GPU.zip, which allows applications to observe variations in rendering time. Google has assessed Pixnapping as a high-severity vulnerability and has issued a partial fix, but researchers have managed to bypass it quickly. So far, there is no safe method for users to protect themselves against Pixnapping, and system updates are recommended.