The "Pixel Hijacking" Android vulnerability may endanger cryptocurrency wallet mnemonic phrases and 2FA codes.

CN
1 day ago

A newly discovered Android vulnerability allows malicious applications to access content displayed by other applications, potentially jeopardizing recovery phrases for encrypted wallets, two-factor authentication (2FA) codes, and more.

According to a recent research paper, the "Pixnapping" attack "bypasses all browser mitigations and can even steal sensitive information from non-browser applications." This is achieved by leveraging the Android application programming interface (API) to calculate the specific pixel content displayed by different applications.

It's not as simple as a malicious application requesting and accessing the displayed content of another application. Instead, it overlays a series of semi-transparent activities controlled by the attacker to obscure everything except the selected pixels, then manipulates that pixel to dominate the frame's color.

By repeating this process and timing frame rendering, the malware infers these pixels to reconstruct confidential information on the screen. Fortunately, this process takes time, limiting the attack's usefulness to content displayed for no more than a few seconds.

One particularly sensitive piece of information that stays on the screen for far longer than a few seconds is the recovery phrase for encrypted wallets. These phrases allow for complete, unrestricted access to connected encrypted wallets, requiring users to write them down and keep them secure. The paper tested attacks on 2FA codes on Google Pixel devices:

While capturing the full 12-word recovery phrase takes longer, the attack remains feasible if the user keeps the phrase visible while writing it down.

The vulnerability was tested on five devices running Android versions 13 to 16: Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and Samsung Galaxy S25. Researchers stated that due to the widely available API being exploited, the same attack could be effective on other Android devices.

Google initially attempted to patch the vulnerability by limiting the number of activities an application can obscure at one time. However, researchers reported that they found a workaround that still allows Pixnapping to operate.

According to the paper, Google rated the issue as high severity and committed to awarding a bug bounty to the researchers. The team also contacted Samsung, warning that "Google's patch is insufficient to protect Samsung devices."

The most obvious way to address this issue is to avoid displaying recovery phrases or any other particularly sensitive content on Android devices. A better practice is to avoid displaying recovery information on any device with internet capabilities.

A simple solution to achieve this is to use hardware wallets. Hardware wallets are dedicated key management devices that sign transactions outside of a computer or smartphone, without exposing private keys or recovery phrases. As threat researcher Vladimir S stated in an X post on the subject:

Related: Monad co-founder warns of Telegram ad scams in official channel before airdrop

Original article: “Pixnapping” Android vulnerability could expose crypto wallet seed phrases and 2FA codes

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To
APP

X

Telegram

Facebook

Reddit

CopyLink