What happened?
Researchers at Carnegie Mellon discovered a new Android side‑channel attack called Pixnapping that can steal on‑screen secrets like crypto seed phrases and 2FA codes without needing special permissions. It abuses GPU timing, the window blur API and VSync callbacks to reconstruct pixels and was shown to work on Pixel 6–9 and Galaxy S25 devices running Android 13–16. Google issued a partial patch for CVE‑2025‑48561 but the researchers found a workaround and a second fix is expected in December.
Who does this affect?
Any Android user who installs apps is potentially at risk, but the biggest targets are people who use crypto wallets, authenticator apps, email, messaging and payment apps because those display sensitive info on screen. The attack was demonstrated on recent Google and Samsung flagships, and researchers warn many other Android devices may be vulnerable. Malware authors can combine Pixnapping with phishing and trojans, putting individual users, app developers and security teams on the hook.
Why does this matter?
This undermines confidence in on‑device self‑custody and is likely to push more users toward hardware wallets or custodial services, boosting demand for secure storage solutions. Device makers, wallet providers and exchanges may face reputational hits and higher security and compliance costs, which will drive investment into security tools, audits and insurance. In the near term the news could dent trust in mobile crypto apps and increase volatility for projects tied to self‑custody, while accelerating long‑term spending on security and centralized alternatives.