Imagine most of your phone being secure, free from malicious snooping, save for the pixels on the screen. That’s the idea behind ‘pixnapping’, a new form of attack that U.S. researchers from several universities have discovered. A malicious app tricks the system into leaking digital pixel data, “one pixel at a time”, using transparent layers. It exploits Android’s application programming interfaces (APIs) to essentially rebuild layered screen captures. It may not sound serious, but using this method, hackers can steal sensitive data like two-factor authentication (2FA) codes. The technique can siphon information, like 2FA codes, within 14 to 25 seconds — codes expire after 30 seconds. That’s enough time to steal and use a valid code, bypassing your secure accounts.
It is worrisome, but there is relatively good news. Google already issued a patch that partially mitigates the problem. That patch limits the activities an app can invoke blur on, the function that allows transparent layers, and is what a pixnapping attack uses to capture data. But researchers have found a workaround. The attack, however, is not easy to carry out, and you need to install a malicious Android app first, then open it. Unfortunately, the malicious app does not need extra permissions to carry out the attack. Google says they are issuing an additional patch in the December Android security bulletin. For now, it still exists and could be deployed on many devices, including Samsung and Google Pixel models, used by the researchers to test their work. It’s never been more important to patch security vulnerabilities like this. It was recently discovered over one million Android devices were infected by a secret backdoor for hackers. Additionally, thousands of Android users installed infected apps, not unlike what would be needed for the pixnapping attack.
How does the ‘Pixnapping’ attack actually work?
A pixel is a single, tiny dot that constitutes the content you eventually see on your phone’s display. Thousands and millions of pixels make up the full image of what you see. But this pixnapping attack is able to isolate them, one-by-one, and then reconstruct the image to discern what you’re seeing. It doesn’t just affect two-factor authentication codes. For instance, hackers could rebuild anything sensitive shown on screen, even a message from encrypted apps like Signal. This was demonstrated by the research team — although it took 25 to 42 hours to complete.
The pixnapping attack takes advantage of something called Android Intents, a core system component that allows apps to communicate with one another and other Android devices, like sharing a photo or file. An intent works like a request, similar to a permission, where one app sends an ask to do something or interact with another app. Basically, the attack uses this process to stack transparent windows over the app it wants to see, then uses changes in the pixels and colors to capture and recombine the context of the content. Yes, you have to install an app that’s affected first, and then open it, but would-be thieves could easily disguise an app to look legitimate.
Vulnerabilities like the one related to the pixnapping attack are regularly found in today’s software, creating a constant cat-and-mouse chase between nefarious hackers and developers or white-hat hackers. One of the most sophisticated iPhone attacks ever used relied on a hidden hardware feature — the Pegasus attack required no link tapping and used an iMessage exploit. Apple patched the vulnerability, but new attacks are continuously being discovered, and used by hackers.
