Android is susceptible to an attack, Pixnapping, which allows data from any application to be stolen. Google announces that it will not be corrected until December 2025.
A significant new security flaw has been discovered on Android. And unlike other vulnerabilities, this one has not yet been completely closed even though it is made public, and will not be for several more weeks. Several Google Pixel, Samsung Galaxy smartphone models, and undoubtedly others, are susceptible to a new type of attack, called Pixnapping.
Pixnapping takes advantage of a vulnerability in Android, which allows data to be stolen from applications that are normally secure, such as Google Maps, Signal or Gmail. Worse still, researchers have even managed to bypass Google Authenticator’s two-factor authentication system.
Pixnapping is still rampant on Android
So how do hackers using Pixnapping operate? As is often the case, it all starts with an Android application installed on the device, which appears legitimate at first glance, but is in fact malicious. This app contains code able to take screenshots of other apps or websites. To do this, it accesses information about the display pixels of the screen through a component of the mobile GPU.
Google believes it is unlikely that this security flaw was actively exploited. In any case, the firm found no trace of it. But now that how it works has been documented, it’s possible that some malicious individuals will try to take advantage of it, given that the vulnerability has not yet been 100% fixed.
“We have released a fix for the CVE-2025-48561 vulnerability in the September Android Security Bulletin, which partially mitigates this behavior. We are releasing an additional fix for this vulnerability in the December Android Security Bulletin”Google told The Register.
In the September patch, Google attempted to protect devices from Pixnapping by limiting the number of blurring API requests allowed by an Android activity. But the researchers behind the discovery quickly managed to override this measure and Pixnapping is therefore still active. However, the way to break the September patch has not been made public. We imagine that it will be in December, after the second update.
