Hackers can steal 2FA codes and private messages from Android phones

https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-hackers-pluck-2fa-codes-from-android-phones/

44•sipofwater•2h ago

Comments

mouse_•1h ago

Would you buy a hammer that can't ever hurt your thumb? What implications would that have? Would that be a good hammer?

Bad opinion time that I hope will maybe at least be thought provoking: I would hope a malicious app I willingly installed will be able to behave maliciously. Our security bureaucracy is going to grow exponentially and people are still going to be stealing people's shit, because people need to be able to access their shit and people are dumb.

leakycap•1h ago

> requires no [Android] permissions

I think this is the part people are upset about

akerl_•1h ago

> Would you buy a hammer that can't ever hurt your thumb?

Yes.

elmerfud•1h ago

I believe those hammers are made by Nerf. Now go build a house with one.

rootusrootus•33m ago

There was a time when we would have said something similar for table saws that cannot cut off your finger. Might be a little harder to pull off the trick with a hammer, but it just seems like another engineering problem. And it would make for a very expensive hammer.

TZubiri•29m ago

Would you buy an electric saw that cannot damage your fingers?

https://www.youtube.com/watch?v=oQu3ccfl7Ow

Or you would yell at a cloud?

TZubiri•31m ago

While I appreciate the sentiment of fighting against oversecure features. This is a great security feature. The Windows OS model started development in the 90s, before the internet or even malware was popular. Android started development around 2010 and was able to provide a security design that contemplated risks of malware and internet.

In Windows installing malware compromises other applications, while in Android, your other apps are safe. In this news, this security mechanism fails. To denounce that the mechanism is completely useless is quite stupid, you just outed yourself as someone who doesn't have any security responsibilities and shouldn't have.

shkkmo•23m ago

> Would that be a good hammer?

They're called rubber mallets and they are useful in a number of situations where you want to

> I would hope a malicious app I willingly installed will be able to behave maliciously.

You should be able to install an app that has continuous access to your screen but that doesn't mean that continuous access to your screen is something you should have to grant to every piece of software that runs on your computer.

gdulli•17m ago

You can hurt your thumb with a rubber mallet. Maybe the better metaphor would be kids' safety scissors which I guess represents the iPhone, but I'd still rather go with the Android (regular scissors) because I'm an adult and I'll take responsibility for the risks of using the more powerful tool.

akerl_•8m ago

Why are you speaking like having a secure device and a powerful device are exclusive options?

gnabgib•1h ago

> Requires a victim to first install a malicious app on an Android phone or tablet

As Raymond Chen/Old New Thing likes to say this rather requires being on the other side of this airtight hatchway. You can allow apps to do things on your device.

ranger_danger•1h ago

https://0x0.st/XJZT.jpg

0cf8612b2e1e•1h ago

That the app does not require permissions is the notable bit here. I do not know the mobile system, but I thought apps were supposed to be firewalled from each other unless given explicit grants.

The obvious joke, how long has Facebook been using this exploit?

OgsyedIE•52m ago

Several preinstalled bloatware stores such as Galaxy Store, Moto apps and so forth will default to opt-in to automatically installing 'recommended apps and games' - essentially spyware garbage they get kickbacks from - in the background, plus several flagship phones now come with Temu preinstalled.

The 90% of non technically-savvy Android users are 100% exposed to the OP exploit.

AmbroseBierce•31m ago

The app needs to be opened by the user for the exploit to work, as seen in the video the researchers published, so the surface attack is big but not that big.

ActorNightly•1h ago

In other news, there are substances in the household that are so dangerous that it can can kill you.

First it requires the user take buckets of ammonia and bleach and mix them together.

TZubiri•34m ago

To be fair, it's more like, you can buy a bottle of ammonia, and then get poisoned by eating an apple.

_ink_•1h ago

It can happen quickly. The app itself might be legit, but it may be based in a SDK which is either malicious or compromised.

Brybry•49m ago

And there are a lot of automatically installed junk apps on most phones. And every OTA update seems to add more.

AmbroseBierce•46m ago

It also requires that whatever information the attacker is looking for has been displayed on the screen, so for example my banking app (like most banking apps I guess) masks my 4 digit passcode with asterisks so it is likely safe from this specific attack

PD: I just checked and it also doesn't change the color of the pressed keys or any other visual feedback that an attacker might use.

TZubiri•36m ago

> The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet.

I think it speaks about the security of Android that this makes the news. Coming from Windows, Android always felt as a MUCH more secure Operating System, not just a similar quality Operating System with touch controls and support for smaller hardware.

dloy•1h ago

And they can’t with iPhones?

SchemaLoad•41m ago

iOS doesn't let apps silently screen record.

shkkmo•29m ago

How are you sure? This isn't abusing some poorly secured screenshot API, this is a timing attack on the GPU rendering process and impacts a wide range of GPUs.

lostmsu•14m ago

Neither does Android. This is a timing attack on rendering.

i386•56m ago

Android supremacy at its finest. I would never recommend a family member buying one. The history of this kind of thing is long and keeps continuing to happen.

ChrisArchitect•26m ago

Source: https://www.pixnapping.com/

lostmsu•11m ago

TL;DR; This is a timing attack on rendering that allows capture of screen data.

hollow-moe•3m ago

Don't worry you won't be able to install the bad application in the first place thanks to the new ID backed app signature.

lll-o-lll•1m ago

This is a really interesting new side channel attack. One I had never considered before; it’s like rowhammer but for the screen. Clever. Also evil.

Clever and evil.

Beads: A coding agent memory system by Steve Yegge

Eavesdropping on Internal Networks via Unencrypted Satellites [pdf]

Minnesota towns were clean energy skeptics: Now they're installing solar

Show HN: I made an AI Mafia game where AIs try to deceive you

Satellites Are Leaking the Secrets

Trust between the U.S. and China is fading fast, analysts say

NASA's Jet Propulsion Laboratory to lay off about 550 workers

Who Is the Best Meta Ads Expert in Tamil Nadu

OpenAI-Broadcom agreement sends shares of chipmaker soaring

Zawinski's Law was Never About Email

In depth analysis of database workloads and benchmarks

Locate.name: AI makes your URLs unmemorable to unforgettable

AutoPR: Let's Automate Your Academic Promotion [pdf]

South Africa's one million invisible children without birth certificates

Figuring out round, floor and ceil with integer division

The Life and Legend of Bruce Lee

Deep gashes are slicing up cities, swallowing houses and displacing people

NVIDIA DGX Spark In-Depth Review: A New Standard for Local AI Inference

Abstracted Social Media

China port fees on U.S. ships set to kick in Tuesday

Free online MKV to MP4 converter

Dredging Up Fun – A Board Game Design Primer [video]

Nanochat

Hacktoberfest 2025

GPU Glossary

Traffic lights with four colors and a new white light are coming

SpaceX Starship flight 11 successful

China Stands Firm on Trade War Fronts, Targeting Minerals and U.S. Tech

Japanese in Anime and Manga

War on Slop