A new Android vulnerability, dubbed ‘Pixnapping’, poses a significant threat to cryptocurrency users. This exploit enables malicious apps to steal content displayed by other applications, potentially compromising sensitive information like crypto wallet seed phrases and two-factor authentication codes. 2FA codes were successfully extracted from Google Pixel devices in a recent study involving the Pixnapping attack.
The vulnerability exploits Android application programming interfaces (APIs) to calculate the color of specific pixels on screen, then manipulates these pixels to reconstruct secret information. This process requires multiple layers and careful manipulation to mask malicious activity. This tactic leverages the time delay between frame renders to infer those pixels and reconstruct on-screen secrets.
Although seed phrases typically stay visible for longer periods, a successful attack could compromise them even when users are writing them down.
The researchers tested Pixnapping on five Android devices, including Google Pixel 6, 7, 8, 9, and the Samsung Galaxy S25. While a full 12-word recovery phrase would take significantly longer to capture, the attack remains effective if a user leaves it visible during writing.
Google acknowledges this vulnerability as high severity and plans to award the researchers a bug bounty. The company initially attempted to mitigate the issue by limiting how many activities an app can blur at once; however, researchers found a workaround that continues to allow Pixnapping to function. “As of October 13, we are still coordinating with Google and Samsung regarding disclosure timelines and mitigations,” they reported.
One effective solution is using hardware wallets. This dedicated device stores cryptocurrency keys offline, protecting against cyberattacks that target the connected phone or computer. Hardware wallet users can rest assured their funds remain safe even in the face of this potential exploit.