No fix yet for attack that lets hackers pluck 2FA codes from Android phones

Malicious app required to make "Pixnapping" attack work requires no permissions.

See full article...

 

[Bigdoinks]

The article indicates there is no evidence this exploit is being used in the wild.

Not yet at least. There are millions of android devices that will never get the security update that fixes this and nonetheless will continue to be used every day.

 

[GaidinBDJ]

My understsanding from the paper is that they use intent to launch the victim app, then SurfaceFlinger combines the windows together. By setting SurfaceControl's blur radius they can achieve this without the permission.

Am I misremembering, or didn't Android used to have a permission for apps to arbitrarily launch other apps on the phone that aren't signed by the same developer? Like you couldn't say "Start DialerABC" (without that permission) but had to (with a lesser permission) pass off the number to the system to arrange the appropriate software?

 

[darwiniandude]

So let me get this straight: A phone built for the purpose of letting Google spy on its users is being abused by even less ethical groups to spy on its users?

I use Apple devices, not Android. But even so, what you've said is not true. Google did not build Android to spy on it's users. Google built Android to prevent Microsoft becoming the dominant mobile platform and shutting them out. And it worked - Google is still massively relevant.

 

[Cloudgazer]

This is one of the few reasons why I am sticking with Samsung for the foreseeable future. Knox isolates apps from the rest of the OS. It's where I keep only banking and my password safe apps and it stays locked down until I need to use it, at which point I need to enter a 15 character password.

I think "read data that any other installed app displays on the screen"

This would not apply as I can't take screenshots of apps installed in Knox, I tried.

Tell me you didn't read the article without telling me you didn't read the article.

 

[Cloudgazer]

What I don't understand is how the malicious app can render something on top of another app without the "display over other apps" permission, which is already known to be a dangerous permission to grant in general.

I don't believe you need that permission to over-draw other apps if you're using the more limited system of intents. This exploit is using intents.

 

[Meski]

Permission to write over other apps is something that gets requested at install time, iirc. Also, how about having the auth app write its numbers in alternating dark/light/colours.

 

[Erbium68]

Apple make most of its money selling hardware. Google makes most of its money selling ads, which it claims are targeted, so they want to know as much about everyone as they can to maximise the amount they can charge for each ad.

I know which business model I find more trustworthy.

Actually Apple makes its money selling "value added" on top of hardware. That is still software and services.
Pixel and iPhone prices are roughly comparable, but as Google doesn't have anything like the economies of scale or the supply pipelines of Apple, their margin is probably quite a bit lower.

Believing any corporation is trustworthy is unwise.
(The Amish aren't corporations.)

 

[Cloudgazer]

Actually Apple makes its money selling "value added" on top of hardware. That is still software and services.

Nope - more than 2/3rds of revenues and more than 50% of gross margin is from products, not services.

 

[tv_expert]

My Pixel phone keeps telling me "Complete setup by installing apps. Get the most out of your device."
There are hardly any apps on the phone for this very reason: reducing the attack surface.
Further, my phone is my phone and my computer is my computer.
Really the only reason for having a smartphone at all is the authenticator app.
What next? A dumb phone and a Yubikey?

 

[TimeToTilt]

Apple make most of its money selling hardware. Google makes most of its money selling ads, which it claims are targeted, so they want to know as much about everyone as they can to maximise the amount they can charge for each ad.

I know which business model I find more trustworthy.

This is no longer true. Apple now makes more profit from services than hardware it seems. Only 25% or so if revenue but the majority of profit because their margin is 70+% which is madness.

 

[TimeToTilt]

View attachment 120222

Nope - more than 2/3rds of revenues and more than 50% of gross margin is from products, not services.

Depends on the quarter I guess but even in your screenshot that is just barely the case for profit which is what matters. 23 vs 20.5~B profit.

 

[tv_expert]

Apple has an advertising division...

It would be more accurate to say that Apple is the advertising "division." This coming from someone who used Macs for at least 20 years and iPhones from 4 to 14.
What has Apple really done since the iPhone other than using ARM designs and optimizing their supply chain.
I know this comment is going to be downvoted, but I will elaborate further in the next relevant Apple hardware article.

 

[Erbium68]

View attachment 120222

Nope - more than 2/3rds of revenues and more than 50% of gross margin is from products, not services.

"Products" includes the value added of iOS development, design, sales and marketing. We are not told the broken out COGS, but software is definitely in products.
And as you say, nearly half of gross margin is straight services, which means that given that "products" includes software as well as hardware, more than 50% of profit is coming from that direction.

 

[jatb]

Weirdly it looks like you're safe if you ever patched the blur functionality out of Android 12+. I can't stand apps which blur themselves in the window manager and shit.

Any firm HQ'd in NATO will push a malicious update to your apps or handset if you're doing anything important enough. Google just sells ads simultaneously. Only use hardware from those countries if you live in mainland China.

 

[adamsc]

Starting to think physical authenticators like Yubikey should get more popular, or even reviving the older ones that displayed a code..

User-visible codes are late 1900s technology and should not be used in any form because attackers are very practiced at convincing users to key them in to attack sites. Yubikeys and other implementations of phishing-proof protocols (U2F/FIDO/WebAuthn) have been the best choice for about 15 years but adoption was slowed by the upfront cost of tokens prior to passkeys becoming widely available. In 2025, this question should be formulated as “is this a legacy system which cannot be upgraded to support passkeys?” with the default option being WebAuthn.

 

[citizencoyote]

I'm trying to figure out how this exploit could actually be used in the wild. Even for the older Pixel 6, it takes nearly 15 seconds to correctly figure out the 2FA code. How many people leave that code on the screen that long? Maybe I'm different, but I tend to open the app, note the code, then enter it, 5-7 seconds tops. Even if I'm being slow, it's probably rarely over 10 seconds. Can the exploit read the code even after the screen changes or the authenticator app is closed? Or does it rely on the image remaining on the screen the entire time it tries to figure out the code?

That's ignoring how the app then transmits this info to an attacker to be used before the target inputs the code if it has no permissions. I suppose some sort of automated system could be set up on the back end.

 

[amateur6]

Maybe a stupid question, but how did the researchers "leak 100 different 2FA codes from Google Authenticator on each of our Google Pixel phones" when GA displays fewer than 10 at once?

I also find it interesting that the researchers were the least successful (29% of the time) on a Pixel 8, but much more successful (53%) on a Pixel 9...

 

[Frank C.]

Why would any app need access to another app's rendering

Good question.

 

[Frank C.]

This is one of the few reasons why I am sticking with Samsung for the foreseeable future. Knox isolates apps from the rest of the OS. It's where I keep only banking and my password safe apps and it stays locked down until I need to use it, at which point I need to enter a 15 character password.

I think "read data that any other installed app displays on the screen"

This would not apply as I can't take screenshots of apps installed in Knox, I tried.

Is this a plug for Samsung?

 

[VividVerism]

Good question.

The app doesn't have access to another app's rendering.

The app makes detailed time measurements of how long it takes to render its own graphics. Depending on what is already displayed on the screen (from the other app), individual pixels take longer to render in one color versus another. To the human eye the difference is imperceptible but it's long enough to measure statistically by an on-device process with access to precise time measurement APIs.

That's the nature of a side channel. The malicious app doesn't have direct access to what is rendered to the screen from another app. It must infer what is rendered on the screen through timing measurements (or sometimes power measurements, vibration measurements, etc. depending on the side channel).

 

[greamlive]

I would say they’re doing pretty damn well, seeing how they are worth about $700bln more than Google AND manage to have a much, much better track record on user privacy. They prove you don’t need to spy on your users to make a boatload of money

Just need to find ways to make them pay more for less powerful hardware.

 

[Happy Medium]

Kind of reminds me of Van Eck Phreaking, except you're looking at timing changes as opposed to radiofrequency changes. Yes, the best defense here is keeping your system clean of apps of sketchy provenance, though I do wonder if given the piecemeal development process nowadays this could be built into a supply chain attack by building it into a commonly used component of a lot of software.

 

[Chuckstar]

Edit: ninjaed

I don't think this is the right interpretation of what is going on. It is a side channel effect. The attacking app is sending rendering instructions to its own display context. The rendering pipeline is optimized to not spend time change a pixel that is already the right color. By measuring how long it takes, the attacker can get insight into what was on the screen in that location.

Does Android not have a separate compositor? Seems like apps should draw into their own context and compositing be done by the system separately.

 

[Cloudgazer]

"Products" includes the value added of iOS development, design, sales and marketing. We are not told the broken out COGS, but software is definitely in products.
And as you say, nearly half of gross margin is straight services, which means that given that "products" includes software as well as hardware, more than 50% of profit is coming from that direction.

That doesn't make any sense.

Services depend on that iOS development just as much as products do. In fact arguably more so - it's much much cheaper to develop an internal API than a publishable API suitable for 3rd parties.

R&D development would be split between the two.

 

[Cloudgazer]

Does Android not have a separate compositor? Seems like apps should draw into their own context and compositing be done by the system separately.

It does, that's why it's a side-channel. Some quotes from the paper:

SurfaceFlinger. When multiple activities are visible simultaneously on the screen, Android combines their windows together in a process called composition. This process is handled by an Android service called SurfaceFlinger. By default, SurfaceFlinger treats all windows being composed as having the same upper-left anchor point on the screen. After composition, SurfaceFlinger is respon- sible for sending the final composited screen to the display [15]. We note that all operations related to the composition of multiple windows (e.g., window blurs), which we refer to as cross-window operations, are handled by SurfaceFlinger using GPU shaders.

...

GPU.zip is a side channel exploiting graphical data compression in modern GPUs [51]. Graphical data compression has been deployed widely in mobile devices as increasing screen sizes drive up the per-frame DRAM traffic. Such compression reduces DRAM traffic by identifying redundancy in each frame and storing/transferring those frames between the CPU and GPU in a compressed format. To compress, the entire frame is broken into smaller, individually compressed, blocks along with additional metadata about the compression status of each block. As the compression is soft- ware transparent, it must be lossless. These lossless schemes are known to result in a data-dependent compression ratio and hence a data-dependent amount of data to transfer. Since the memory bandwidth is a limited resource, data-dependent DRAM traffic then translates to a data-dependent rendering time or can otherwise be monitored by a co-located attacker observing contention.

Think of this as analogous to row-hammer but for display data rather than arbitrary memory.

 

[Me Myself And I1]

But when I point that under an article about a highly theoretical Apple exploit I only get downvotes

The article indicates there is no evidence this exploit is being used in the wild.

 

[OrvGull]

User-visible codes are late 1900s technology and should not be used in any form because attackers are very practiced at convincing users to key them in to attack sites. Yubikeys and other implementations of phishing-proof protocols (U2F/FIDO/WebAuthn) have been the best choice for about 15 years but adoption was slowed by the upfront cost of tokens prior to passkeys becoming widely available. In 2025, this question should be formulated as “is this a legacy system which cannot be upgraded to support passkeys?” with the default option being WebAuthn.

I have a Yubikey but not many sites really support it. It seems like a technology that's failed to catch on.

 

[Erbium68]

That doesn't make any sense.

To you.

 

[Happy Medium]

User-visible codes are late 1900s technology and should not be used in any form because attackers are very practiced at convincing users to key them in to attack sites. Yubikeys and other implementations of phishing-proof protocols (U2F/FIDO/WebAuthn) have been the best choice for about 15 years but adoption was slowed by the upfront cost of tokens prior to passkeys becoming widely available. In 2025, this question should be formulated as “is this a legacy system which cannot be upgraded to support passkeys?” with the default option being WebAuthn.

Uhhh. Ars would beg to differ

Passkeys right now suck really hard if you have several different devices, or especially god forbid want to use multiple different browsers.

 

[Cloudgazer]

To you.

How exactly do you think Services would exist as a business without the R&D investment that you want to wholly ascribe to Product?

 

[FinallyAnAccount]

Anecdotally, there seem to be a number of news stories in Canada where folks who have been scammed have said 'but i have 2FA how did this happen'. But they're not usually detailed enough to say what 2FA they have etc.

 

[northantara]

It's a side channel attack. Basically the attacker renders something transparent in front of the target app, then using a timing attack exploiting the GPU's graphical data compression to try finding out the color of the pixels. It's not something as simple as "give me the pixels of another app showing on the screen right now." That's why it takes time and can be too slow to fit within the 30 seconds window of the Google Authenticator app.

Why does drawing the transparent something over another app not require ACTION_MANAGE_OVERLAY_PERMISSION / SYSTEM_ALERT_WINDOW?

 

[Chuckstar]

It does, that's why it's a side-channel. Some quotes from the paper:

SurfaceFlinger. When multiple activities are visible simultaneously on the screen, Android combines their windows together in a process called composition. This process is handled by an Android service called SurfaceFlinger. By default, SurfaceFlinger treats all windows being composed as having the same upper-left anchor point on the screen. After composition, SurfaceFlinger is respon- sible for sending the final composited screen to the display [15]. We note that all operations related to the composition of multiple windows (e.g., window blurs), which we refer to as cross-window operations, are handled by SurfaceFlinger using GPU shaders.

...

GPU.zip is a side channel exploiting graphical data compression in modern GPUs [51]. Graphical data compression has been deployed widely in mobile devices as increasing screen sizes drive up the per-frame DRAM traffic. Such compression reduces DRAM traffic by identifying redundancy in each frame and storing/transferring those frames between the CPU and GPU in a compressed format. To compress, the entire frame is broken into smaller, individually compressed, blocks along with additional metadata about the compression status of each block. As the compression is soft- ware transparent, it must be lossless. These lossless schemes are known to result in a data-dependent compression ratio and hence a data-dependent amount of data to transfer. Since the memory bandwidth is a limited resource, data-dependent DRAM traffic then translates to a data-dependent rendering time or can otherwise be monitored by a co-located attacker observing contention.

Think of this as analogous to row-hammer but for display data rather than arbitrary memory.

Probably devil-in-the-details, but why would any of that involve write times that the app could find out about? With a separate compositor, I was imagining the app writes to a dedicated frame buffer and the timing of the return from that write is what it has access to. Could it be that that write can be blocked by compositor activity, so the app gets indirect info about what the compositor is doing? Or can an app ask to eat it to return until the data gets to the screen, similar to asking for disk I/O to wait until the write is confirmed to the physical disk before returning (rather than returning once that data just gets to the cache)?

In the naive understanding of a compositor, that is, the app just writes to its dedicated screen buffer and the compositor reads what it needs from there when it needs it and the app never knows the difference.

 

[saanaito]

Never install apps. Use the website, or take your business to someone with a working website.

The equivalent of this on desktop OSes is to never install any programs, and I hope you can see how that falls apart in short order. (Yes, there may be fewer apps for desktop OSes whose functionality can also be performed in a web browser, but that number isn't zero.)

 

[Nilt]

Permission to write over other apps is something that gets requested at install time, iirc. Also, how about having the auth app write its numbers in alternating dark/light/colours.

Modern implementations of Android will remove permissions from apps that haven't been used in a long enough period of time. Combined with the requirement to only ask for permissions when you're going to be needing them (you've launched the app), this tends to keep rarely-used applications from being a major issue. The main problem with the draw-over permission is it's an accessibility one. There are quite a few folks who have vision disabilities of various sorts that rely on screen readers, magnifiers, and so on. It's very difficult to get rid of such features while not allowing a clever developer to use them maliciously from time to time.

 

[Nilt]

Anecdotally, there seem to be a number of news stories in Canada where folks who have been scammed have said 'but i have 2FA how did this happen'. But they're not usually detailed enough to say what 2FA they have etc.

There are a couple ways to get 2FA codes when scamming folks. The most prevalent one is to set up a phishing site and get the scamee to just enter their credentials and the 2FA code into it while passing those on to the actual site for the scammer. Another less-common method is to simply gain access to the text messages in the cell phone system. The latter costs more money but is entirely invisible to the targeted individual except for any login alerts being sent by the service the scammer is accessing. For anyone not familiar with the latter, this Veritasium video covers it quite well.

The phone hacking thing is almost always a highly targeted attack on a high value account or service, though, so for just the average individual it's generally just plain old phishing.

 

[Pooga]

I have a Yubikey but not many sites really support it. It seems like a technology that's failed to catch on.

I have this issue as well. Add in the fact that I'd have to use a USB adapter to use my Yubikey on some devices, and (and this is probably the main reason the Yubikey I got w/ my Ars subscription is still in the bubble pack it came in), the policy at my place of employment does not allow any outside devices in the building - especially anything USB connected and it's become something I'd like to employ someday but that day still seems a while off in the future - at least at the "use this for its intended purpose of general account security" level.