Video-Demo-Tour

Ask us


I agree to the terms of the Privacy policy
I agree with the provisions on data protection. I agree that Protelion will process the personal data provided by me electronically for the processing of my request and contact me, according to my explicit request, for the processing of my request. I can revoke my consent at any time with effect for the future.

Your request was sent successfully.
We’ll answer you as soon as possible.

OK
EN
DE ES

Home

/
 ... / 

Resources

/
 ... / 

Blog

/
 ... / 
ArmoredMobile team reflections on Pixnapping attack

ArmoredMobile team reflections on Pixnapping attack

16.10.2025

The malicious app’s attack works by opening the target app (e.g., Google Authenticator), then displaying its own window on top of the target app’s window, and scanning the content pixel by pixel, analyzing the execution time of graphic operations on each pixel. Such scanning makes it possible to determine with high probability which pixels have a white background color and which are involved in displaying characters. To hide pixel manipulation from the user, layers with masks are superimposed during the attack, and the contents of the application window from which the attack is being carried out continue to be displayed on the screen. Conceptually, it is as if the malicious app was taking a screenshot of screen contents it should not have access to. For more details about the attack, see the article.

How the attack works: 

  • The user installs a malicious app.
  • The user opens the malicious app.
  • The malicious app uses an Android intent to open the target app, like Google Authenticator, and hides it in the background.
  • The malicious app opens another transparent window on top of the target app.
  • The malicious app changes the pixels of the transparent window and controls the window redraw time, similar to a hardware side channel attack (GPU.zip).
  • Depending on the redraw time (based on a specially prepared mathematical model), the malicious application determines the color of the pixel.
  • Using the data obtained in step 6, the malicious application restores the target app’s text by OCR.

Carrying out an attack in practice “under non-ideal conditions” is questionable, and the problem is of more theoretical interest. After all, any change on the screen or in the display configuration can change the time it takes to determine a “white pixel” or “non-white pixel,” which was defined by the authors as the “reference”.

But even under such circumstances, ArmoredOS provides several protection mechanisms: 

  • Protection against window overlay. The system has advanced permission settings for overlay windows. A malicious app simply cannot display its window on top of another app to perform pixel-by-pixel analysis.
  • Prohibition of installing unsigned applications. Only verified and signed applications can be installed on ArmoredOS.
  • Restriction of data exfiltration. ArmoredOS does not have an adb daemon, and any application requires additional permission from the user to access the network. In addition, the device can be blocked from accessing Internet at the level of the isolated on-premise Protelion infrastructure deployed at the customer's site.
  • Regular and timely security patches. Fixes are applied to ArmoredOS immediately after their release for Android.

Helpful links: 

Pixnapping paper: https://www.pixnapping.com/pixnapping.pdf

Detail CVE-2025-48561: https://nvd.nist.gov/vuln/detail/CVE-2025-48561

Back to list

Blog

Blog
IoT Security: How Smart Devices Open Doors for Hackers
05.09.2025
Smart homes, wearable devices, connected cars, the Internet of Things (IoT) is everywhere. From fitness trackers to smart fridges, these devices make our lives easier and more connected. But with convenience comes risk: every smart device is a potential entry point for hackers.
Read more
Blog
SNMP: Simple Network Management Protocol
16.09.2025
Simple Network Management Protocol (SNMP) works on the application layer of the OSI Reference Model, to manage and control network devices.
Read more
Blog
Why Systems Are Vulnerable — and Why It Matters to Fix Them
12.08.2025
No system is perfect. Whether it’s a hospital’s patient database, a bank’s online platform, or the apps we use daily, every system has weak spots. These weaknesses, or vulnerabilities are what cybercriminals look for. And the truth is, they don’t need to target you personally. They can scan thousands of systems at once, waiting for one to give them easy access.
Read more