Google patched ‘Pixnapping’ attack and plans on an additional fix

Google is aware of a vulnerability that’s able to steal data from apps that are generally considered secure like Authenticator or Signal, using a new technique called “Pixnapping.” The vulnerability has been effective on several Google Pixel device models, as well as Samsung Galaxy devices.

According to a report from The Register, Google has noted that it has rolled out a partial fix for a vulnerability that has cropped up recently. The security flaw allows malicious actors to take advantage of a couple of weaknesses in Android.

The Android Intent system, which allows apps to communicate, is used by a malicious app to request sensitive information for rendering. The render from the targeted app is then used to pull sensitive pixels that can be overlayed with transparent screens invisible to the user. Whatever information is gleaned by the threatening app can then be pulled via a side channel, like GPU.zip – another vulnerability that allows for GPU-rendered visuals to be stolen.

The research team behind Pixnapping consists of seven researchers who were able to trigger the vulnerability on several Google Pixel phones, including the Pixel 9, Pixel 8, and Pixel 7. The group was also able to trigger the event on a Samsung Galaxy S25.

Advertisement – scroll for more content

According to the research team’s timeline, Google was notified in February 2025. Since then, Google has released a patch and rolled it out in the September security update. That’s good news and indicates that Google sees the threat as a high priority.

The research team indicates that there’s more work to be done, though.

Google was notified of a workaround to the recent security patch, where the CVE-2025-48561 vulnerability could be triggered. That workaround has not been disclosed by Google or the team since the current security update doesn’t fix it.

Google has since noted that it will issue an additional patch for the vulnerability in the upcoming December security update. It also stated that there have been no known instances of “in-the-wild” occurrences.