this post was submitted on 14 Oct 2025

89 points (94.1% liked)

Android

20800 readers

207 users here now

The new home of /r/Android on Lemmy and the Fediverse!

Android news, reviews, tips, and discussions about rooting, tutorials, and apps.

💡Content Philosophy:

Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.

Support, technical, or app related questions belong in: !askandroid@lemdro.id

For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id

💬Matrix Chat

💬Telegram channels / chats

📰Our communities below

Rules

Stay on topic: All posts should be related to the Android OS or ecosystem.
No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.
Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.
No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.
No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.
No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.
No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.
No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.
No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!
No affiliate links: Posting affiliate links is not allowed.

Quick Links

Our Communities

Lemmy App List

See thread

Chat and More

founded 2 years ago

MODERATORS

Hackers can steal 2FA codes and private messages from Android phones (arstechnica.com)

submitted 2 months ago by schizoidman@lemmy.zip to c/android

21 comments fedilink hide all child comments

The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.

top 21 comments

sorted by: hot top controversial new old

[–] 0_o7@lemmy.dbzer0.com 36 points 2 months ago (5 children)

requires a victim to first install a malicious app on an Android phone or tablet.

Okay, that's not so bad

The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen.

but the researchers said a modified version of the attack works even when the update is installed.

Holy fuck, how the fuck does this even happen? No permission but still read screen data? That's a horrible flaw. Does google intentionally do this so they can read all user activity ever? And even their fixes are flawed? Fuck

[–] fluxion@lemmy.world 12 points 2 months ago* (last edited 2 months ago)

Google has actually done quite a bit of work to guard against this sort of thing in a general sense:

https://source.android.com/docs/core/virtualization/architecture

It effectively isolates every page of data for an application from other applications and even from the OS itself by using hardware virtualization support on ARM

But things like video frame buffers are shared resources that can't be easily isolated on this way and that seems to be the attack vector in this case. That not to say this isn't a failure on Google's part to not catch this, but they aren't the bad guys in this case and seem to be trying to address it

[–] CallMeAnAI@lemmy.world 9 points 2 months ago

Bugs happen. You act like there has never been a serious FoSS vulnerability.

They are working with the researchers and addressing it 🤷‍♂️.

[–] Tollana1234567@lemmy.today 6 points 2 months ago (2 children)

google wants all your data, so it make sense theres this vulnerability, remember the android core spy app they tried to secretely install to peoples phones.

[–] MaggiWuerze@feddit.org 16 points 2 months ago (1 children)

Googles Apps run with what are basically root permissions. They don't need to design the permissions in such a way to get access, they can just do what they want

[–] BCsven@lemmy.ca 4 points 2 months ago (2 children)

That's why I put GrapheneOS on my phone. It sandboxes apps and you can grant specific containerized storage spaces aaccesa per app.

But screen reading OOF, I thought that would have needed screen overlay permissions.

[–] MaggiWuerze@feddit.org 3 points 2 months ago

If only they would support more devices. Maybe they will broaden their lineup now that Google has basically curb stomped them

[–] ReversalHatchery@beehaw.org 1 points 2 months ago* (last edited 2 months ago)

~~I don't think the screen overlay permission gives access for screen capture~~

I was wrong. but this article seems to imply that it's screen overlay permission is what is needed for this to work.

[–] ReversalHatchery@beehaw.org 1 points 2 months ago* (last edited 2 months ago)

"tried" why, do you think they failed?

[–] f4f4f4f4f4f4f4f4@sopuli.xyz 4 points 2 months ago (1 children)

https://f-droid.org/packages/io.nandandesai.privacybreacher

It hasn't been updated in five years. I'm not sure of the current state of things in Android, but apps used to be able to access all kinds of personal data with zero permissions: listing all installed apps, access to sensors/accelerometers, battery level, when charger/headphones were last plugged or unplugged.

[–] ReversalHatchery@beehaw.org 1 points 2 months ago (2 children)

screen capture is an entirely different thing though, and that was not available without permissions for a very long time

[–] f4f4f4f4f4f4f4f4@sopuli.xyz 1 points 2 months ago

This is true. Non-Google apps trying to read your screen had to convince users to enable Accessibility permission.

[–] limerod@reddthat.com 1 points 1 month ago

Its not actually capturing the screen though. Its display a transparent overylay on another app and using a timing side channel attack to track the pixels for the generated 2 factor auth code.

[–] possiblylinux127@lemmy.zip 2 points 2 months ago

This headline is a bit click baity

It is bad but because it is a side channel attack it very hard to pull off. You need the starts to align and for the user to stay on the same screen for a long time for it to actually be exploited.

[–] Eyekaytee@aussie.zone 12 points 2 months ago (2 children)

…

requires a victim to first install a malicious app

these new “hacks” suck, bring back worms that would shut your pc down just after you connected to the net, that was hacking! 👨‍🦳

[–] Evotech@lemmy.world 6 points 2 months ago (1 children)

The fact that it needs no permissions though…

[–] gravitywell@sh.itjust.works 5 points 2 months ago (1 children)

Except you have to grant permission to install it, thats a pretty big one, especially for average users who dont have Sideloading enabled

[–] bountygiver@lemmy.ml 4 points 2 months ago (1 children)

I doubt Google actually reviews each app submitted line by line of code. So a malicious developer can theoretically sneak it in one popular app via play store updates.

Good thing the point of 2FA is the 2 factor part so this only compromises one of the two, without some very coordinated attack it's still quite hard to gain access to your accounts.

[–] BCsven@lemmy.ca 1 points 2 months ago

Hardware key is the way. Like a Yubikey

Code is generated on another device by using the encryption stored on the hardware key.

Since this app can read screen, you need a non network connected device to act as the key displayer.

[–] MoonMelon@lemmy.ml 3 points 2 months ago

I worked at a computer store when blaster happened. Shit was wild, for weeks. People blamed us too, of course. We started giving away patch disks for free.

[–] kepix@lemmy.world 1 points 1 month ago

i love how most of these start with the victim installing the most sus apk they can find on the internet