'Pixnapping' Attacks Can Steal On-Screen Data in Seconds

A research team featuring Riccardo Paccagnella, an assistant professor in the Software and Societal Systems Department, has uncovered a new class of Android attacks that can stealthily steal sensitive information displayed by other apps or even websites.

The attack, dubbed "Pixnapping," exploits both Android operating system features and a hardware side channel to extract on-screen data — such as two-factor authentication (2FA) codes, private messages and financial information — without users ever realizing their data has been compromised. The researchers presented their work at the ACM Conference on Computer and Communications Security (CCS 2025) in Taipei, Taiwan.

Read the full story on the Carnegie Mellon CyLab website.