Video-Demo-Tour

Ask us


I agree to the terms of the Privacy policy
I agree with the provisions on data protection. I agree that Protelion will process the personal data provided by me electronically for the processing of my request and contact me, according to my explicit request, for the processing of my request. I can revoke my consent at any time with effect for the future.

Your request was sent successfully.
We’ll answer you as soon as possible.

OK
EN
DE ES

Home

/
 ... / 

Resources

/
 ... / 

Blog

/
 ... / 
ArmoredMobile team reflections on Pixnapping attack

ArmoredMobile team reflections on Pixnapping attack

16.10.2025

The malicious app’s attack works by opening the target app (e.g., Google Authenticator), then displaying its own window on top of the target app’s window, and scanning the content pixel by pixel, analyzing the execution time of graphic operations on each pixel. Such scanning makes it possible to determine with high probability which pixels have a white background color and which are involved in displaying characters. To hide pixel manipulation from the user, layers with masks are superimposed during the attack, and the contents of the application window from which the attack is being carried out continue to be displayed on the screen. Conceptually, it is as if the malicious app was taking a screenshot of screen contents it should not have access to. For more details about the attack, see the article.

How the attack works: 

  • The user installs a malicious app.
  • The user opens the malicious app.
  • The malicious app uses an Android intent to open the target app, like Google Authenticator, and hides it in the background.
  • The malicious app opens another transparent window on top of the target app.
  • The malicious app changes the pixels of the transparent window and controls the window redraw time, similar to a hardware side channel attack (GPU.zip).
  • Depending on the redraw time (based on a specially prepared mathematical model), the malicious application determines the color of the pixel.
  • Using the data obtained in step 6, the malicious application restores the target app’s text by OCR.

Carrying out an attack in practice “under non-ideal conditions” is questionable, and the problem is of more theoretical interest. After all, any change on the screen or in the display configuration can change the time it takes to determine a “white pixel” or “non-white pixel,” which was defined by the authors as the “reference”.

But even under such circumstances, ArmoredOS provides several protection mechanisms: 

  • Protection against window overlay. The system has advanced permission settings for overlay windows. A malicious app simply cannot display its window on top of another app to perform pixel-by-pixel analysis.
  • Prohibition of installing unsigned applications. Only verified and signed applications can be installed on ArmoredOS.
  • Restriction of data exfiltration. ArmoredOS does not have an adb daemon, and any application requires additional permission from the user to access the network. In addition, the device can be blocked from accessing Internet at the level of the isolated on-premise Protelion infrastructure deployed at the customer's site.
  • Regular and timely security patches. Fixes are applied to ArmoredOS immediately after their release for Android.

Helpful links: 

Pixnapping paper: https://www.pixnapping.com/pixnapping.pdf

Detail CVE-2025-48561: https://nvd.nist.gov/vuln/detail/CVE-2025-48561

Back to list

Blog

Blog
Privacy vs. Security: Finding the Balance in an Increasingly Connected World
07.10.2025
From unlocking your phone with a glance to moving through an airport security gate, technology quietly collects pieces of our lives.
Read more
Blog
SNMP Security
18.10.2025
SNMP (Simple Network Management Protocol) consists of 3 essential parts
Read more
Blog
The persistent security crisis in mobile networks: old vulnerabilities keep haunting new generations
21.10.2025
This article is based on research «Unveiling the Ghosts of Mobile Networks: When Will Old Bugs Die?»
Read more