> requires no [Android] permissions

I think this is the part people are upset about

> Would you buy a hammer that can't ever hurt your thumb?

Yes.

While I appreciate the sentiment of fighting against oversecure features. This is a great security feature. The Windows OS model started development in the 90s, before the internet or even malware was popular. Android started development around 2010 and was able to provide a security design that contemplated risks of malware and internet.

In Windows installing malware compromises other applications, while in Android, your other apps are safe. In this news, this security mechanism fails. To denounce that the mechanism is completely useless is quite stupid, you just outed yourself as someone who doesn't have any security responsibilities and shouldn't have.

> Would that be a good hammer?

They're called rubber mallets and they are useful in a number of situations where you want to

> I would hope a malicious app I willingly installed will be able to behave maliciously.

You should be able to install an app that has continuous access to your screen but that doesn't mean that continuous access to your screen is something you should have to grant to every piece of software that runs on your computer.

That the app does not require permissions is the notable bit here. I do not know the mobile system, but I thought apps were supposed to be firewalled from each other unless given explicit grants.

The obvious joke, how long has Facebook been using this exploit?

In other news, there are substances in the household that are so dangerous that it can can kill you.

First it requires the user take buckets of ammonia and bleach and mix them together.

It can happen quickly. The app itself might be legit, but it may be based in a SDK which is either malicious or compromised.

It also requires that whatever information the attacker is looking for has been displayed on the screen, so for example my banking app (like most banking apps I guess) masks my 4 digit passcode with asterisks so it is likely safe from this specific attack

PD: I just checked and it also doesn't change the color of the pressed keys or any other visual feedback that an attacker might use.

> The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet.

I think it speaks about the security of Android that this makes the news. Coming from Windows, Android always felt as a MUCH more secure Operating System, not just a similar quality Operating System with touch controls and support for smaller hardware.

iOS doesn't let apps silently screen record.

There should be a new, stronger word for these kinds of attacks. Like clevevil, or clevil. Yes, pixnapping is clevil. We should strive for the opposite: livelc.

Good question and I think one point missing here is that the attacker needs to draw over the application showing the pixels to be stolen. Apparently, this makes use of the fact that the rendering pipeline uses compression to update screen contents. It's not written how exactly but I imagine drawing a pixel that's already present takes less time then updating it to a new color or something in that line of thought. I guess this may also allow for some decent optimization to the time it takes to determine the contents by reducing the search space to known possible screen contents and further by checking incremental amounts, like each digit separately or similar. Anyways, as far as I know to draw over other applications you need to give permission, I think it's commonly used for accessibility apps. If true, the vulnerability might be a bit less concerning then if not.