Security researchers have revealed a strange new attack that watches pixels instead of stealing files. It’s called[1] Pixnapping[2], and it can quietly lift what’s visible on a phone screen… even one-time passcodes, map routes, or messages… by timing how long the screen takes to draw itself.
It sounds abstract, almost academic. But it works.
The idea behind it
Pixnapping doesn’t crack encryption or sneak past permissions. It simply times the GPU, the graphics hardware that paints every frame. A malicious app can sit quietly, trigger another app to show something private, and then measure the rendering delay of tiny pieces of that image. From there, it can rebuild what appeared on screen, pixel by pixel, until characters and digits start forming into something recognizable.
The researchers found that this can be done without any special Android permissions. That’s the unsettling part. The app just needs to be installed. Nothing more.
How it happens
When the attacker’s app opens the target (say, Google Authenticator or a chat window) it overlays thin transparent layers, forcing the phone to redraw parts of the screen again. The GPU compresses the frame as it renders it, but compression time changes depending on what’s being drawn. White pixels compress faster than dark ones. The timing difference, even if only microseconds apart, becomes a signal. With enough readings, the attacker learns the color pattern underneath. And from that, the text.
This isn’t new in theory. A few years back, researchers showed similar timing tricks inside web browsers under the name GPU.zip. Pixnapping is that concept reborn for mobile devices, turned loose on Android’s rendering system.
What the tests revealed
The team ran the attack on Google’s Pixel 6 through Pixel 9 and Samsung’s Galaxy S25. The Pixel phones leaked timing patterns cleanly enough for the attack to reconstruct six-digit authentication codes before they expired. The best success rate (about three quarters) came on the Pixel 6. Newer models leaked slower or less predictably, but still enough to matter. On the S25, noise from the graphics hardware scrambled results, and no codes were fully recovered within the 30-second window.
The success depends on the GPU’s data compression design. The Mali chip inside the Pixel phones seems especially prone to this kind of timing leak. Each rendered frame compresses differently depending on its content, and that slight variation tells the attacker what’s there.
It’s slow, though. The app can read at most a couple of pixels per second, which limits how much information it can grab before a code refreshes. Still, the method is consistent and doesn’t crash or alert the user.
Google’s fix and what’s next
The researchers disclosed their findings months ago. Google assigned it a security tag (CVE-2025-48561) and pushed out a partial fix in the September Android patch. Another update is planned for December. The company said no known attacks have been spotted in the wild.
The current fix restricts how often apps can layer windows or trigger blur effects, which are key to gathering those timing readings. But the team found a workaround. They also suggested that cutting off access to fine-grained pixel computations, or redesigning GPU compression so that it behaves uniformly, would help long-term.
Samsung devices might need different changes because their timing noise looks different. The underlying issue sits deep inside the graphics pipeline, where frames are composed, compressed, and shipped to the screen.
Why it matters
For most people, the risk today is low. The attack is delicate and slow, and someone would still have to install a malicious app first. But the concept is serious. It breaks the assumption that one app can’t peek at another’s visuals. It means an on-screen secret is only as private as the hardware that draws it.
Pixnapping shows how little details… timing, compression ratios, microsecond delays… can add up to visible leaks. It’s a reminder that privacy isn’t just about permissions or encryption. Sometimes, the leak hides in the way light turns into pixels.
Notes: This post was edited/created using GenAI tools. Image: DIW-Aigen.
Read next:
• Google Updates Search Ads with a New “Sponsored Results” Design[3]
• Americans Face a Global Fraud Storm as AI Erodes Consumer Trust[4]
References
- ^ called (www.pixnapping.com)
- ^ Pixnapping (www.pixnapping.com)
- ^ Google Updates Search Ads with a New “Sponsored Results” Design (www.digitalinformationworld.com)
- ^ Americans Face a Global Fraud Storm as AI Erodes Consumer Trust (www.digitalinformationworld.com)