A newly discovered Android vulnerability enables malicious applications to access content displayed by other apps, potentially compromising crypto wallet recovery phrases, two-factor authentication (2FA) codes and more.
According to a recent research paper, the “Pixnapping” attack “bypasses all browser mitigations and can even steal secrets from non-browser apps.” This is possible by leveraging Android application programming interfaces (API) to calculate the content of a specific pixel displayed by a different application.
This is not as simple as the malicious application requesting and accessing the display content of another application. Instead, it layers a stack of attacker-controlled, semi-transparent activities to mask all but a chosen pixel, then manipulates that pixel so its color dominates the frame.
By repeating this process and timing frame renders, the malware infers those pixels to reconstruct on-screen secrets. This, fortunately, takes time and limits the attack’s usefulness against content that is not displayed for more than a few seconds.
Seed phrases in danger
One kind of particularly sensitive information that tends to stay on screen for much longer than a few seconds is crypto wallet recovery phrases. Those phrases, which allow full, unchecked access to the connected crypto wallets, require users to write them down for safekeeping. The paper tested the attack on 2FA codes on Google Pixel devices:
“Our attack correctly recovers the full 6-digit 2FA code in 73%, 53%, 29%, and 53% of the trials on the Pixel 6, 7, 8, and 9, respectively. The average time to recover each 2FA code is 14.3, 25.8, 24.9, and 25.3 seconds for the Pixel 6, Pixel 7, Pixel 8, and Pixel 9, respectively.“
While a full 12-word recovery phrase would take much longer to capture, the attack remains viable if the user leaves the phrase visible while writing it down.
Related: UK renews Apple iCloud backdoor push, threatening crypto wallet security
Google’s response
The vulnerability was tested on five devices running Android versions 13 to 16: the Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9 and the Samsung Galaxy S25. The researchers said the same attack could work on other Android devices since the exploited APIs are widely available.
Google initially attempted to patch the flaw by limiting how many activities an app can blur at once. However, the researchers said they found a workaround that still enables Pixnapping to function.
“As of October 13, we are still coordinating with Google and Samsung regarding disclosure timelines and mitigations.“
According to the paper, Google rated the issue as high severity and committed to awarding the researchers a bug bounty. The team also reached out to Samsung to warn that “Google’s patch was insufficient to protect Samsung devices.”
Related: Best crypto hardware wallets for 2025
Hardware wallets offer safe protection
The most obvious solution to the issue is to avoid displaying recovery phrases or any other particularly sensitive content on Android devices. Even better would be to avoid displaying recovery information on any internet-capable device.
A simple solution to achieve just that is to use a hardware wallet. A hardware wallet is a dedicated key management device that signs transactions externally to a computer or smartphone without ever exposing the private key or recovery phrase. As threat researcher Vladimir S put it in an X post on the subject:
“Simply don’t use your phone to secure your crypto. Use a hardware wallet!“
Magazine: ‘Help! My robot vac is stealing my Bitcoin’: When smart devices attack