The Weekly Breach Breakdown Podcast: The Stolen Goods – Pixnapping Attacks Target Android Devices - S6E33

Show Transcript

Welcome to the Identity Theft Resource Center's (ITRC’s) Weekly Breach Breakdown for October 24, 2025. I'm Tatiana Cuadras, Communications Assistant for the ITRC. Thanks to Sentilink for supporting the ITRC and this podcast. Each week, we look at the most recent events and trends related to data security and privacy. Today, we will discuss pixnapping attacks. Never heard of it? Well, let us tell you. 

A team of researchers at the University of California, Berkeley, the University of California, San Diego, the University of Washington and Carnegie Mellon University recently uncovered a new class of Android attacks that can steal sensitive information like multifactor authentication (MFA) credentials displayed by other apps and websites.  

The researchers were able to demonstrate the attack on Google and Samsung phones. They have managed “end-to-end recovery of sensitive data from websites, including Gmail and Google Accounts and apps, including Signal, Google Authenticator, Venmo and Google Maps. According to the researchers' dedicated website on pixnapping attacks, their attack against Google Authenticator allows any malicious app to steal MFA codes in under 30 seconds while hiding the attack from the user.  

How do pixnapping attacks work? It impacts nearly all modern Android devices and belongs to a larger and older genre of attack known as “pixel stealing”. Pixel stealing is where a source can determine how a pixel is displayed to a user through a channel. In the case of the researchers’ study, malicious code is installed on an app that the user opens. Anything visible to the user while the app is open can be stolen. This includes authentication codes, messages, emails and much more.  

Why do pixnapping attacks matter? According to the researchers, Google released a patch in early September. However, the researchers were able to find a workaround. In a statement to Dark Reading, Google said the September patch partially mitigates, but that they are issuing an additional patch for the vulnerability in the December Android security bulletin. The good news is that Google has not seen any evidence of exploitation. Google adds that exploiting the vulnerability requires specific data about the target device and that malicious applications exploiting the vulnerability have not yet been found on Google Play. 

According to Dark Reading, on its face, pixnapping attacks do not appear to be the kind of attack that changes how threat actors target Android devices. Exploitation seems to be complicated. With that said, it is just another option for the bad actors to get data as part of social engineering. 

How can you protect yourself from pixnapping attacks? While that answer is not yet clear for app developers, researchers say that, for Android users, it starts by ensuring they are up to date on all security updates on their Android devices. So, if you have any Android devices, check for updates once you are done listening to this podcast! 

Regardless of what happens with pixnapping attacks, the ITRC is here to help you and be a resource. If you want to know more about how to protect your business or personal information or think you have been the victim of identity theft, fraud or a scam, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started. 

Thanks again to Sentilink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to your podcasts.  

Next Tuesday, October 28, we will release our 2025 Consumer Impact Report, which goes beyond the basic financial implications of identity crimes to explore the lost opportunities and the emotional and physical impacts experienced by victims. Next Friday, October 31, we will have a special episode of our sister podcast, the Fraudian Slip, where ITRC CEO Eva Velasquez will break down all of the findings and what they mean.  

We will return in two weeks with another episode of the Weekly Breach Breakdown. I’m Tatiana Cuadras. Until then, thanks for listening.