There's a new term making waves in mobile cybersecurity: Pixnapping. This attack, whose name is a combination of pixel and kidnapping, has been shown to be capable of capturing what's displayed on an Android screen and, among other things, steal verification codes two-factor authentication without raising suspicions.
What's most disturbing is that, according to the researchers who presented it, the attack is executed in a matter of seconds and requires no special permissions. That is, a seemingly harmless app, installed by the user himself, can read visible information on the screen of other applications and extract sensitive data such as private messages, maps or temporary 2FA codes.
What is Pixnapping and why is it especially worrying?
Pixnapping is a technique that leverages the combination of legitimate Android APIs with a hardware side channel. This combination allows attackers to observe, reconstruct, and filter what is displayed on the device's screen, allowing them to capture data in real time from virtually any app as long as the information is visible.
One of the distinguishing features of this attack is that the malicious app doesn't require permissions. It doesn't require accessibility, notification reading, or screenshots. However, it manages to exploit system mechanisms and physical signals to achieve its goal: read what you see you, without you realizing it.
Researchers have shown that, in less than 30 seconds, Pixnapping can steal temporary codes like those from Google Authenticator, and it does so stealthily. During that interval, the user could be, for example, opening their email or looking at a map, and the malicious app extract the 2FA code without showing weird screens or strange notifications.
One important nuance: if a key or secret is never drawn on the screen, Pixnapping cannot appropriate it. Therefore, keys out of sight (such as TOTP secrets that are stored and not displayed) are not directly at risk from this method. The danger lies in what is rendered and visible to the human eye.
To test its reach, the research team ran attacks on several Google and Samsung models. Specifically, it was validated on the Google Pixel 6, Pixel 7, Pixel 8, and Pixel 9, as well as a Samsung Galaxy S25. The tests included the extraction of sensitive data from sites and apps such as Gmail, Google accounts, Signal, Google Authenticator, Venmo, and Google Maps, demonstrating that the vector is broad and not limited to a single manufacturer or application.
How it steals 2FA codes and other data that appear on the screen
When you open an authenticator app or receive a one-time code and it's displayed on the device, Pixnapping can detect and reconstruct it well enough to steal it. Its effectiveness comes from observing rendering patterns and signals associated with the drawing process, so the visible content is the main attack surface.
This explains why it works with TOTP codes generated by authenticator apps, and also with OTPs that appear in messages, notifications, or pop-ups. Simply put: if you see it on your screen, the attacker can make a copy through this approach.
Patching and mitigations: What Google has done and what's yet to come
To try to stop this vector, Google released a patch identified as CVE-2025-48561. However, the researchers themselves have noted that, even with that update installed, Pixnapping was still working in their tests. This isn't the first time something like this has happened with novel attacks: the initial mitigation reduces some of the risk, but doesn't completely close the door.
Google has announced that it will release an additional countermeasure in the December Android security bulletin. Until this supplementary patch arrives, it's a good idea to take extreme precautions: avoid installing apps outside the official store, check with unknown developers, and if in doubt, uninstall the suspicious. Activate Google Play Protect, prefer anti-theft apps and keep the system updated and limit, as much as possible, the prolonged display of your 2FA codes on screen.
In addition to the update layer, it is advisable to bet on authentication methods that do not rely on visible codes. For example, physical FIDO security keys or push approvals instead of TOTP codes displayed as digits, whenever the service allows it. Reducing the time a code is displayed and minimizing notifications with sensitive content also helps reduce exposure.
Beyond Pixnapping: Hijacking and code-stealing techniques on the rise
Code and session theft is not exclusive to Android or this attack. In parallel, techniques such as QRLjacking, web session hijacking, and WhatsApp and QR fraud are proliferating. They all share one idea: exploiting user trust to sneak into your identity digital and access accounts or money.
QRLJacking and QR code fraud
QRLjacking involves tricking the user into scanning a QR code that appears legitimate, but which redirects to a site controlled by the attacker. In some services, this QR code is used to log in or link a session, so the victim, unknowingly, deliver your session to the criminal. This approach relies on the trust we have in QR codes due to our everyday use: restaurant menus, payments, Wi-Fi networks, or check-ins.
There are several variants of QR fraud. One is known as QR Code Jacking: the attacker pastes a fake QR code over the authentic one, for example, on parking meters, charging stations, or signs. The user thinks they're paying for parking, but ends up on a cloned website that steals cardsThis type of scam has already occurred on real sites, with drivers redirected to scam websites where their data ended up in the hands of scammers.
Another method is quishing: emails with fake QR codes that appear to be from banks or government agencies. They invite you to verify your information, take advantage of an offer, or solve a problem, and the QR code takes you to a fake site where you are asked to They ask for credentials or personal information. QR code scanning apps have also been detected in official stores containing malware, as was the case with Barcode Scanner in its day.
To reduce risk with QR codes: verify the source before scanning, use trusted apps, and disable automatic link opening. Note if the QR code appears to be superimposed or printed on different paper. If in doubt, open the website by typing it into the browser instead of following the QR code. In physical environments, businesses, and events, check periodically the QR codes that are shown to the public.
Web session hijacking: how it works and why it's so harmful
When you log into a website or application, the server creates a session and gives you an identifier, often via a temporary cookie. This ID maintains your authentication until you log out or it expires. If an attacker manages to obtain this ID, they can impersonate you and access everything as if you were the legitimate user.
There are multiple attack vectors. Cross-site scripting (XSS) injects a script that causes the browser to reveal the cookie or session token. Lateral session hijacking or sniffing monitors traffic on open Wi-Fi networks or uses man-in-the-middle to capture unencrypted cookies. Session fixation forces the victim to log in with a predefined ID that the attacker already knows, and then log in to your accountThe man-in-the-browser infects the computer with a Trojan that modifies transactions on the fly. And there are predictable tokens: if a server generates IDs with patterns, they can be deduced by brute force.
This problem is not the same as session hijacking. In session hijacking, the user is already logged in, and the attacker takes control of a real session, which can cause strange behavior or errors for the user. In spoofing, however, the attacker create a new session impersonating the user, without the user noticing anything at that moment.
The consequences are far-reaching: identity theft, fraudulent transactions, malware installation, denial-of-service attacks, or chain access to systems when single sign-on (SSO) is in place. During the pandemic, so-called Zoom bombing became popular, with intruders breaking into private video calls. Vulnerabilities have also been reported, such as the one in Slack in 2019, which allowed cookies to be stolen via redirects, or the one in GitLab in 2017, using tokens. exposed in URLs and persistent.
Best practices: Avoid using public Wi-Fi networks for banking, shopping, or email; if there is no alternative, use a VPN. Be suspicious of links in unsolicited emails and check that the website has HTTPS. Keep your antivirus software up to date and configure your services with MFA, privacy policies, session expiration and review of connected devices.
This problem is not the same as session hijacking. In session hijacking, the user is already logged in, and the attacker takes control of a real session, which can cause strange behavior or errors for the user. In spoofing, however, the attacker create a new session impersonating the user, without the user noticing anything at that moment.
The consequences are far-reaching: identity theft, fraudulent transactions, malware installation, denial-of-service attacks, or chain access to systems when single sign-on (SSO) is in place. During the pandemic, so-called Zoom bombing became popular, with intruders breaking into private video calls. Vulnerabilities have also been reported, such as the one in Slack in 2019, which allowed cookies to be stolen via redirects, or the one in GitLab in 2017, using tokens. exposed in URLs and persistent.
Best practices: Avoid using public Wi-Fi networks for banking, shopping, or email; if there's no alternative, use a VPN. Be suspicious of links in unsolicited emails and check that the website has HTTPS. Keep your antivirus software up to date and configure your services with MFA and privacy policies. session expiration and review of connected devices.
If you detect fraud or malicious sites, report them to Inteco, the National Police, or the Civil Guard. The more alerts there are, the sooner they can be removed or block campaigns.
Identity theft and account theft: from everyday to critical
The Internet Security Office (OSI), an INCIBE channel, has observed an increase in incidents of impersonation and account theft. This phenomenon is divided into two broad categories: unauthorized access to real accounts (through stolen passwords, phishing, or malware) and creation of fake profiles that imitate people or entities to deceive third parties.
On WhatsApp, a chain fraud stands out: the criminal contacts you posing as an acquaintance, asking you to resend a six-digit code that supposedly arrived by mistake. In reality, this code is what allows you to register your account on another device. After entering it, the attacker take control from your WhatsApp and may activate two-step verification to make it difficult for you to recover it.
In addition, there have been documented cases where the attacker adds the account to a second device; WhatsApp temporarily limits the request for codes for 12 hours, a period in which the criminal accesses your conversations and groups, collects contacts and launches new frauds impersonating you.
To protect yourself: Never share verification codes, enable WhatsApp's two-step verification, use strong passwords, and don't accept suspicious friend requests or messages. Review your privacy and security settings frequently. limit what you post and keep sensitive data such as ID, address, or banking information safe.
SIM swapping is another serious threat: using personal data obtained through social engineering, attackers obtain a duplicate of your SIM from the operator. Suddenly, you lose mobile coverage, and when you connect via Wi-Fi, you receive notifications of unauthorized activity. If something like this happens, contact your operator immediately and implement measures such as MFA. all your accounts.
What to do if your account is stolen or impersonated
Act methodically. Document what happened with screenshots and logs. Notifying your contacts reduces the domino effect. Regain access by changing credentials and activating multiple authentication. Review and correct recovery phone numbers and emails that the attacker may have modified. Report each affected service through their official channels and, if appropriate, file a complaint with the National Police or Civil Guard. From INCIBE, the 017 hotline offers help in cybersecurity for citizens.
Fake CAPTCHAs that install malware: another way to steal data and credentials
In recent months, campaigns abusing fake CAPTCHA verifications have been detected. Through deceptive ads or invisible redirects, users end up on fraudulent pages that simulate browser errors or security controls. There, they are asked to copy a command—for example, in PowerShell—and execute it, which triggers the download of a silent malware capable of stealing credentials, cookies and, especially, cryptocurrency keys.
These campaigns have reached tens of thousands of users, with more than 140.000 interactions in just a couple of months and victims in countries such as Spain, Brazil, Italy, and Russia. The criminals distribute several Trojan families and expand their reach to gambling sites, anime communities, file sharing, and adult websites, taking advantage of the legitimate appearance of these sites. CAPTCHAs as bait.
To minimize risk: If an ad fills your screen or redirects you to a strange site, close it; never copy or run commands that direct you to pages you don't trust; use an effective antivirus; and use a password manager. protect your credentialsStaying informed is also part of defense.
DNS Hijacking: When the address takes you to the attacker's website
Domain name server (DNS) hijacking manipulates how the Internet resolves website names. If an attacker changes the record that associates a domain with its IP address, when the user types the address of their favorite site, they are actually taken to a server controlled by the attacker. The unsuspecting visitor can enter credentials or download malicious software inadvertently.
To achieve this, attackers can infect computers, take control of routers, or intercept DNS connections. The goal is usually spoofing (pharming) to steal data, although there are also cases of use by certain governments to redirect to approved sites. The result is the same: BusinessSite.com can point to the wrong IP if the registry is compromised, and users are exposed.
How to reduce the overall risk of code, session, and account hijacking
Hay common patterns that increase security against Pixnapping, QRLJacking, session hijacking or messaging fraud:
- Keep your system and applications up to date and prioritize Android security patches, especially those announcing mitigations for side channels and screen leaks.
- Install apps only from official stores and value the developer's reputation; in particular, check anti-theft applications. If something seems strange to you, uninstall it without hesitation and run a virus scan.
- Prevent sensitive codes or data from remaining visible on screen; with FIDO keys or push approvals instead of visible TOTP. Hide notifications with sensitive content on the lock screen.
- Be wary of QR codes posted in public spaces or sent by mail. Examine their physical appearance and check the URL before entering data. Set your QR reader to not open automatically the links.
- Don't share codes you receive via text message or apps, and enable two-step verification on all services. If you lose coverage for no reason, call your carrier as soon as possible. SIM swapping.
- For web sessions: Avoid public networks, use VPN if there is no alternative, check HTTPS, enable MFA and log out after sensitive tasks; monitor active sessions and revoke devices that you don't recognize.
- If you detect fraud or malicious sites, report them to Inteco, the National Police, or the Civil Guard. The more alerts there are, the sooner they can be removed or block campaigns.
Frequently Asked Questions About Pixnapping and Related Threats
Which phones does Pixnapping affect? ​​Researchers demonstrated this on recent Google models (Pixel 6, 7, 8, 9) and a Samsung Galaxy S25, and they note that the side channel impacts most of them. Modern Androids. Therefore, the potential surface area is large, pending deeper mitigation measures.
Are the current updates helping? Google released CVE-2025-48561 to mitigate the issue, but public testing indicates the attack is still viable. An additional patch is expected in the December bulletin. Keep your device up to date. reduces risk, although full defense may require more extensive system changes.
Can it steal secrets that aren't displayed? No. If the information isn't rendered on screen, Pixnapping can't capture it. That's why it's important to minimize the display of TOTP codes or show them for as little time as possible.
Which apps are in the spotlight? Any app that displays sensitive information on screen is a candidate. Tests included Gmail, Google Accounts, Signal, Google Authenticator, Venmo, and Google Maps, demonstrating that the problem is transversal and affects both Messenger service such as authentication and maps.
How does Pixnapping relate to QRLjacking or session hijacking? They're all part of the same ecosystem of threats aimed at hijacking digital identities. Pixnapping targets what's on your screen; QRLjacking exploits trust in QR codes; session hijacking exploits web weaknesses; and WhatsApp/SMShing are looking for your codes. Together, they underscore the need for robust MFA and prudent habits.
The picture painted by all these techniques is clear: attackers prioritize what is visible, what is convenient, and what is trusted. Reducing exposure, strengthening authentication, and monitoring what we scan or approve has a real impact on risk. In the absence of definitive mitigations for side channels like Pixnapping, relying on best practices and patches as soon as they are released is the best way to gain time and keep damage at bay. Share this information so more people will know about the term.