CVE-2025-48561

Name of the Vulnerable Software and Affected Versions Android versions 13 through 16 Samsung Galaxy S25 Google Pixel devices (6 through 9)

Description A new side-channel attack, named Pixnapping (CVE-2025-48561), allows malicious Android applications to stealthily leak information displayed by other applications or websites. The attack exploits Android APIs and a hardware side channel affecting most modern Android devices. It can be used to steal sensitive data, such as two-factor authentication codes, from applications like Google Authenticator, Gmail, Signal, Venmo, and Google Maps. The attack involves a malicious app forcing the target application to render, stacking semi-transparent activities, and measuring GPU compression timing to recover sensitive data without requiring special permissions. The vulnerability leverages a side channel known as GPU.zip, previously disclosed in September 2023. Researchers demonstrated the attack on Google and Samsung devices, successfully reconstructing sensitive data displayed on the screen. Google released a partial patch in September 2025, but researchers found a way to bypass it, with a full fix expected in the December 2025 Android security update. Currently, there are no known exploits in the wild. The attack works by exploiting the function of compression in modern integrated GPUs (iGPU) to perform pixel-stealing attacks from various sources in the browser using SVG filters, combined with the Android window blur API to extract rendering data from victim applications. The malicious app sends the victim application's pixels to the rendering pipeline and overlays semi-transparent activities using Android intents.

Recommendations Update your device to the December 2025 Android security update or later. Avoid installing untrusted applications. Consider using hardware two-factor authentication (e.g., YubiKey). Consider using hardware wallets for cryptocurrency.