Petnapping is a timing + rendering side‑channel assault that mishandle Android APIs and GPU conduct to extricate pixel values from other apps’ rendered substance. Instep of taking a screenshot (which would require authorizations or client interaction), the noxious app actuates target substance to be re-rendered and at that point tests the rendering conduct (for case, by measuring how long obscuring or other GPU operations take) to induce the color/value of particular pixels. By rehashing that handle pixel by pixel in a focused on locale, an aggressor can reproduce content appeared on the screen (like 2FA codes) without ever being allowed screenshot or “read” authorizations.
pixnapping.com
+1
The analysts illustrated end‑to‑end recuperation of information from both browser pages and local apps counting Google Authenticator, Gmail, Flag, Google Maps and Venmo. In the paper and demos they recuperated entirety 2FA codes exceptionally rapidly — beneath 30 seconds in their tests.
pixnapping.com
+1
Why this is diverse from past attacks
There have been other UI and overlay assaults on Android (for case, abuse of SYSTEM_ALERT_WINDOW overlays, or sensor‑based deduction assaults). Petnapping varies since it:
Requires no uncommon runtime authorizations (no SCREENSHOT, no openness, no SYSTEM_ALERT_WINDOW); it employments legit Android APIs that are ordinarily accessible to generous apps.
Targets the rendering pipeline and GPU timing, so it can bypass browser anti‑screen‑scraping mitigations and assurances that expect screenshots or clipboard get to are required to exfiltrate text.
Works over apps and web sees, not fair interior a browser page, since the assault strengths substance to be rendered in a way the assailant can test.
pixnapping.com
Those properties make Petnapping especially stressing: a apparently harmless app — a spotlight, a diversion, a PDF perusers — may incorporate the assault and run in the foundation without asking anything suspicious.
Which gadgets and Android adaptations are affected?
The distributed investigate and shows focused on a extend of present day Android handsets. The analysts effectively illustrated the assault on Google Pixel phones (Pixel 6 through Pixel 9) and later Samsung System gadgets (counting System S25 arrangement) running Android 13 through 16. Google has followed the issue beneath CVE‑2025‑48561.
pixnapping.com
+1
That said, adequacy depends on GPU and driver conduct; the assault abuses timing contrasts in how GPUs/processors handle certain operations, so defenselessness can change by chipset, driver adaptation, and OEM changes. The open shows centered on broadly utilized gadgets, which proposes a wide assault surface over later Android hardware.
Are there fixes or patches yet?
Google issued a halfway moderation in the September 2025 Android Security Bulletin and has expressed it will dispatch an extra fix in the December bulletin to encourage solidify the rendering code ways the analysts manhandled. OEMs (like Samsung) regularly take those fixes and coordinated them into month to month or quarterly overhauls for their gadgets — so whether and when a particular phone gets the full settle depends on the producer and carrier. Google too said it has seen no prove of in‑the‑wild misuse at the time of revelation.
The Programmer News
+1
Because the September fix was depicted as a halfway moderation and analysts illustrated a workaround, Android clients ought to expect that unpatched or mostly fixed gadgets stay at hazard until they get the last OS‑level settle from Google and their vendor.
How practical is the chance to regular users?
Factors that make Petnapping realistic:
The assault does not require extraordinary consents, so noxious apps can stow away the misuse in ordinary‑looking apps and pass app‑store audit more easily.
The researchers’ PoC worked on standard gadgets and apps individuals really utilize (Authenticator, Gmail, Signal).
The assault can exfiltrate brief, high‑value things (one‑time codes) amazingly quickly.
Factors that decrease quickness of panic:
The assault requires a particularly created malevolent app introduced on the gadget. Mass misuse would require aggressors to get numerous clients to introduce that app (by means of sideloading or app store deception).
Google and OEMs have existing mitigations in advance and there’s as of now no open prove of in‑the‑wild mishandle.
Dark Reading
+1
In brief: this is a genuine defenselessness that raises the bar for stealthy on‑device exfiltration, but it is not a zero‑day that permits inaccessible compromise without an app being introduced. The quick down to earth chance is that an app you introduce seem be malevolently outlined to take codes; that implies app checking propensities and OS upgrades matter more than ever.
What you ought to do right presently (commonsense steps)
Install overhauls as before long as your gadget merchant discharges them.
Watch for Android security upgrades from Google and merchant firmware overhauls (Samsung, Pixel overhauls, etc.). Apply month to month security patches instantly. (Google discharged a fractional relief in September 2025 and plans advance fixes.)
The Programmer News
+1
Be additional cautious around apps you introduce — indeed apparently safe ones.
Prefer apps from trustworthy engineers with numerous audits and unfaltering overhaul histories. Check authorizations they ask (indeed in spite of the fact that Pixnapping itself may require none).
Limit sideloading.
Avoid introducing APKs from obscure sources. A side‑loaded app is the most likely way assailants get the malevolent Petnapping code onto numerous devices.
Use hardware‑backed 2FA where possible.
Prefer FIDO2 equipment keys (security keys) or push‑based 2FA that require client interaction/acceptance over time‑based codes where doable. An aggressor who can examined your screen still needs anything auxiliary interaction the key or thrust requires.
Rotate privileged insights if you suspect compromise.
If you introduced an app you presently doubt, uninstall it and pivot any uncovered qualifications or 2FA seeds (deprovision your authenticator apps).
Minimize touchy data appeared on screen when you can: do not show long‑lived mystery tokens in full on screen and near authenticator apps when not in use.
Use Play Secure and portable antivirus as an extra layer.
These won’t halt all focused on assaults, but they offer assistance hail known malevolent apps.
For designers and guards (specialized mitigations)
App engineers and browser merchants ought to maintain a strategic distance from uncovering touchy substance in ways that can be constrained to re‑render in an attacker‑controllable setting. Consider rendering strategies that maintain a strategic distance from minor pixel‑by‑pixel inference.
Google is working on OS‑level solidifying; OEMs must coordinated those changes rapidly into their overhaul pipelines.
App stores ought to scrutinize bizarre GPU‑intensive or window‑stacking conduct in apps submitted for distribution, since the assault depends on making particular rendering stacks and rehashed GPU operations.
The scholarly group has distributed a specialized paper and Pock portraying the assault in profundity (counting microbenchmarks and how they bypassed earlier mitigations). Security groups ought to perused the paper and merchant advisories to get it exact marks and telemetry that might uncover endeavored abuse.
pixnapping.com
+1
What analysts and Google say
The Petnapping investigate started from a college group (the paper and related location incorporate demos and specialized writeups). Google allotted CVE‑2025‑48561 to the issue, pushed a halfway moderation in the September 2025 bulletin, and signaled a encourage fix to take after. The open explanations demonstrate Google takes the issue genuinely and is planning a organized moderation approach with OEMs. The inquire about group mindfully uncovered the issue to Google some time recently open discharge and included proof‑of‑concept comes about in their writeup.
pixnapping.com
+1
Bottom line
Petnapping is a modern and solid side‑channel that illustrates a modern way to perused screen substance without consents. Whereas it does not mystically let assailants break into gadgets remotely, it brings down the taken a toll for a malevolent on‑device app to exfiltrate high‑value brief strings like 2FA codes. The great news: Google has as of now started moderating the issue and a CVE exists; the awful news: the September fix was fractional and you ought to treat unpatched gadgets as possibly vulnerable.
Action checklist for perusers (quick):
Update your phone OS and seller firmware instantly.
The Programmer News
+1
Avoid introducing obscure apps or sideloading APKs.
Prefer equipment FIDO keys or thrust 2FA where possible.
If you suspect a noxious app, uninstall it and pivot influenced 2FA/secrets.
Sources & assist perusing (selected)
Petnapping inquire about paper and Pock (PDF) — unique specialized writeup by the analysts.
pixnapping.com
The Programmer News scope with CVE points of interest and merchant reactions.
The Programmer News
DarkReading / Security Week / Malwarebytes scope summarizing real‑world suggestions and merchant responses.
Dark Reading
+2
Security Week
+2
Carnegie Mellon College news post summarizing the investigate.
cylab.cmu.edu
.webp)
.jpeg)
0 Comments