Hackers can steal 2FA codes and private messages from Android phones

⁨44⁩ ⁨likes⁩

Submitted ⁨⁨3⁩ ⁨weeks⁩ ago⁩ by ⁨along_the_road@beehaw.org⁩ to ⁨technology@beehaw.org⁩

https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-hackers-pluck-2fa-codes-from-android-phones/

source

Comments

Sort:hotnew top

thingsiplay@beehaw.org ⁨3⁩ ⁨weeks⁩ ago

Pixnapping attacks begin with the malicious app invoking Android programming interfaces that cause the authenticator or other targeted apps to send sensitive information to the device screen. The malicious app then runs graphical operations on individual pixels of interest to the attacker. Pixnapping then exploits a side channel that allows the malicious app to map the pixels at those coordinates to letters, numbers, or shapes.

It works like screenshotting the 2FA tool. It’s an Android issue.

Little bit off-topic: Linux PC
BTW this is a reminder why we need a secure Wayland solution on our desktop Linux PC. Because this sort of stealing under X11 is possible too.

source
- majster@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
  I think lesson is different. Even with isolation, apps can escape it with side channels.
  
  source
- Midnitte@beehaw.org ⁨3⁩ ⁨weeks⁩ ago
  Authenticator app just needs to implement FLAG_SECURE, no?
  
  Seems more like an app dev issue
  
  source
  - jherazob@beehaw.org ⁨3⁩ ⁨weeks⁩ ago
    Looks like this works regardless of that
    
    source
    -> View More Comments
t3rmit3@beehaw.org ⁨2⁩ ⁨weeks⁩ ago

requires a victim to first install a malicious app on an Android phone or tablet

source
- Hirom@beehaw.org ⁨2⁩ ⁨weeks⁩ ago
  Sûre, but it’s still a serious problem even if it’s a side channel attack.
  
  Almost everyone rely on the OS/hardware providing some isolation between apps People often install shady apps, and browsers automatically execute JS/bytecode from random website they visit. Using a modern device
  
  source