Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

Hackers can steal 2FA codes and private messages from Android phones

⁨39⁩ ⁨likes⁩

Submitted ⁨⁨22⁩ ⁨hours⁩ ago⁩ by ⁨along_the_road@beehaw.org⁩ to ⁨technology@beehaw.org⁩

https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-hackers-pluck-2fa-codes-from-android-phones/

source

Comments

Sort:hotnewtop
  • t3rmit3@beehaw.org ⁨13⁩ ⁨minutes⁩ ago

    requires a victim to first install a malicious app on an Android phone or tablet

    source
  • thingsiplay@beehaw.org ⁨21⁩ ⁨hours⁩ ago

    Pixnapping attacks begin with the malicious app invoking Android programming interfaces that cause the authenticator or other targeted apps to send sensitive information to the device screen. The malicious app then runs graphical operations on individual pixels of interest to the attacker. Pixnapping then exploits a side channel that allows the malicious app to map the pixels at those coordinates to letters, numbers, or shapes.

    It works like screenshotting the 2FA tool. It’s an Android issue.

    Little bit off-topic: Linux PC

    BTW this is a reminder why we need a secure Wayland solution on our desktop Linux PC. Because this sort of stealing under X11 is possible too.

    source
    • majster@lemmy.zip ⁨19⁩ ⁨hours⁩ ago

      I think lesson is different. Even with isolation, apps can escape it with side channels.

      source
    • Midnitte@beehaw.org ⁨17⁩ ⁨hours⁩ ago

      Authenticator app just needs to implement FLAG_SECURE, no?

      Seems more like an app dev issue

      source
      • jherazob@beehaw.org ⁨12⁩ ⁨hours⁩ ago

        Looks like this works regardless of that

        source
        • -> View More Comments