An unauthenticated absolute and relative path traversal vulnerability exists in the smart home/building automation platform via the /ajax/php/get_file_content.php endpoint. By supplying a crafted 'file' POST parameter, a remote attacker can read arbitrary files from the server's file system, resulting in sensitive information disclosure.

Title: Ilevia EVE X1 Server 4.7.18.0.eden Parameter Traversal Arbitrary File Access  
Advisory ID: ZSL-2025-5960  
Type: Local/Remote  
Impact: Security Bypass, Exposure of System Information, Exposure of Sensitive Information  
Risk: (5/5)  
Release Date: 16.10.2025

**Summary**

EVE is a smart home and building automation solution designed for both residential and commercial environments, including malls, hotels, restaurants, bars, gyms, spas, boardrooms, and offices. It enables comprehensive control and monitoring of electrical installations through a highly customizable, user-friendly interface.

EVE is a multi-protocol platform that integrates various systems within a smart building to enhance comfort, security, safety, and energy efficiency. Users can manage building functions via iPhone, iPad, Android devices, Windows PCs, or Mac computers.

The EVE X1 Server is the dedicated hardware solution for advanced building automation needs. Compact and powerful, it is ideal for apartments, small to medium-sized homes, and smaller commercial installations. It is designed to manage entire automation systems reliably and efficiently.

**Description**

An unauthenticated absolute and relative path traversal vulnerability exists in the smart home/building automation platform via the /ajax/php/get\_file\_content.php endpoint. By supplying a crafted 'file' POST parameter, a remote attacker can read arbitrary files from the server's file system, resulting in sensitive information disclosure.

**Vendor**

Ilevia Srl. - https://www.ilevia.com

**Affected Version**

<= 4.7.18.0.eden (Logic ver: 6.00)

**Tested On**

GNU/Linux 5.4.35 (armv7l)  
GNU/Linux 4.19.97 (armv7l)  
Armbian 20.02.1 Buster  
Apache/2.4.38 (Debian)  
PHP Version 7.3.31

**Vendor Status**

\[01.05.2024\] Vulnerability discovered.  
\[06.05.2024\] Vendor contacted.  
\[06.05.2024\] Vendor responds asking more details.  
\[06.05.2024\] Sent high-level details to the vendor, asked for PGP key.  
\[06.05.2024\] Vendor provides public key and asks for a reason of the contact.  
\[06.05.2024\] Replied to the vendor.  
\[07.05.2024\] Vendor expresses gratitude, maybe discuss a service in the future.  
\[16.05.2025\] Asked vendor for status update.  
\[18.05.2025\] No response from the vendor.  
\[19.05.2025\] Asked vendor for status update.  
\[15.10.2025\] No response from the vendor.  
\[16.10.2025\] Public security advisory released.

**PoC**

ilevia\_path.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <\[email protected\]\>

**References**

\[1\] https://www.cve.org/CVERecord?id=CVE-2025-34517  
\[2\] https://www.cve.org/CVERecord?id=CVE-2025-34518  
\[3\] https://packetstorm.news/files/id/210574/

**Changelog**

\[16.10.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: \[email protected\]

Ilevia EVE X1 Server 4.7.18.0.eden Parameter Traversal Arbitrary File Access

The EVE X1 server suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'mbus_file' and 'mbus_csv' HTTP POST parameters through /ajax/php/mbus_build_from_csv.php script.

Title: Ilevia EVE X1 Server 4.7.18.0.eden (mbus) Unauthenticated Remote Command Injection  
Advisory ID: ZSL-2025-5962  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (5/5)  
Release Date: 16.10.2025

**Summary**

EVE is a smart home and building automation solution designed for both residential and commercial environments, including malls, hotels, restaurants, bars, gyms, spas, boardrooms, and offices. It enables comprehensive control and monitoring of electrical installations through a highly customizable, user-friendly interface.

EVE is a multi-protocol platform that integrates various systems within a smart building to enhance comfort, security, safety, and energy efficiency. Users can manage building functions via iPhone, iPad, Android devices, Windows PCs, or Mac computers.

The EVE X1 Server is the dedicated hardware solution for advanced building automation needs. Compact and powerful, it is ideal for apartments, small to medium-sized homes, and smaller commercial installations. It is designed to manage entire automation systems reliably and efficiently.

**Description**

The EVE X1 server suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'mbus\_file' and 'mbus\_csv' HTTP POST parameters through /ajax/php/mbus\_build\_from\_csv.php script.

**Vendor**

Ilevia Srl. - https://www.ilevia.com

**Affected Version**

<= 4.7.18.0.eden (Logic ver: 6.00)

**Tested On**

GNU/Linux 5.4.35 (armv7l)  
GNU/Linux 4.19.97 (armv7l)  
Armbian 20.02.1 Buster  
Apache/2.4.38 (Debian)  
PHP Version 7.3.31

**Vendor Status**

\[01.05.2024\] Vulnerability discovered.  
\[06.05.2024\] Vendor contacted.  
\[06.05.2024\] Vendor responds asking more details.  
\[06.05.2024\] Sent high-level details to the vendor, asked for PGP key.  
\[06.05.2024\] Vendor provides public key and asks for a reason of the contact.  
\[06.05.2024\] Replied to the vendor.  
\[07.05.2024\] Vendor expresses gratitude, maybe discuss a service in the future.  
\[16.05.2025\] Asked vendor for status update.  
\[18.05.2025\] No response from the vendor.  
\[19.05.2025\] Asked vendor for status update.  
\[15.10.2025\] No response from the vendor.  
\[16.10.2025\] Public security advisory released.

**PoC**

ilevia\_cmdinj.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <\[email protected\]\>

**References**

\[1\] https://www.cve.org/CVERecord?id=CVE-2025-34513  
\[2\] https://packetstorm.news/files/id/210575/

**Changelog**

\[16.10.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: \[email protected\]

Ilevia EVE X1 Server 4.7.18.0.eden (mbus) Unauthenticated Remote Command Injection

Input passed to the GET parameter 'error' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Title: Ilevia EVE X1 Server 4.7.18.0.eden Unauthenticated Reflected XSS  
Advisory ID: ZSL-2025-5961  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (4/5)  
Release Date: 16.10.2025

**Summary**

EVE is a smart home and building automation solution designed for both residential and commercial environments, including malls, hotels, restaurants, bars, gyms, spas, boardrooms, and offices. It enables comprehensive control and monitoring of electrical installations through a highly customizable, user-friendly interface.

EVE is a multi-protocol platform that integrates various systems within a smart building to enhance comfort, security, safety, and energy efficiency. Users can manage building functions via iPhone, iPad, Android devices, Windows PCs, or Mac computers.

The EVE X1 Server is the dedicated hardware solution for advanced building automation needs. Compact and powerful, it is ideal for apartments, small to medium-sized homes, and smaller commercial installations. It is designed to manage entire automation systems reliably and efficiently.

**Description**

Input passed to the GET parameter 'error' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

**Vendor**

Ilevia Srl. - https://www.ilevia.com

**Affected Version**

<= 4.7.18.0.eden (Logic ver: 6.00)

**Tested On**

GNU/Linux 5.4.35 (armv7l)  
GNU/Linux 4.19.97 (armv7l)  
Armbian 20.02.1 Buster  
Apache/2.4.38 (Debian)  
PHP Version 7.3.31

**Vendor Status**

\[01.05.2024\] Vulnerability discovered.  
\[06.05.2024\] Vendor contacted.  
\[06.05.2024\] Vendor responds asking more details.  
\[06.05.2024\] Sent high-level details to the vendor, asked for PGP key.  
\[06.05.2024\] Vendor provides public key and asks for a reason of the contact.  
\[06.05.2024\] Replied to the vendor.  
\[07.05.2024\] Vendor expresses gratitude, maybe discuss a service in the future.  
\[16.05.2025\] Asked vendor for status update.  
\[18.05.2025\] No response from the vendor.  
\[19.05.2025\] Asked vendor for status update.  
\[15.10.2025\] No response from the vendor.  
\[16.10.2025\] Public security advisory released.

**PoC**

ilevia\_xss.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <\[email protected\]\>

**References**

\[1\] https://www.cve.org/CVERecord?id=CVE-2025-34512

**Changelog**

\[16.10.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: \[email protected\]

Ilevia EVE X1 Server 4.7.18.0.eden Unauthenticated Reflected XSS

Privacy left the chat. A misconfigured Kafka broker effectively undid the anonymity many users rely on.

The Cybernews research team found that video call app Huddle01 exposed email addresses, real names, and other identifiers through an unprotected Kafka broker.

Think of an unprotected Kafka broker like a post office that stores and delivers confidential mail. Now, imagine the manager leaves the front doors wide open, with no locks, guards, or ID checks. Anyone can walk in, look through private letters and photos, and grab whatever catches their eye.

Huddle01 is a video call app that focuses on decentralized Web Real-Time Communication (WebRTC). WebRTC is appealing because it lets people talk and share data directly between devices without using a central server. Done right, this can reduce latency, cut costs, and improve privacy.

But leaving your Kafka broker open to anyone who happens to stumble upon it does not qualify as “doing privacy right.” The Kafka broker operated without authentication or encryption, meaning anyone could listen in, collect logs, or potentially alter data if write access existed. This demonstrates a fundamental misconfiguration that puts both users and the platform at risk.

The Kafka instance contained over 621,000 log entries from the last 13 days, belonging to Huddle01, including:

*   Usernames (sometimes real names)
*   Email addresses
*   Crypto wallet addresses (Huddle01 supports many wallets across blockchains like Bitcoin and Ethereum)
*   Detailed activity data, such as which users joined specific calls, participants in each call, country, time, date, and duration
*   Other identifiers

The app is popular among cryptocurrency users, but in this case the open Kafka instance could have deanonymized their wallets by tying their crypto wallets to usernames and email addresses. Which also paints a target on their back as potentially high-value targets.

It also makes users more vulnerable to social engineering since attackers can craft credible emails or messages using real names and meeting data.

And hold on for the worst part. Cybernews states it responsibly disclosed the data leak to the company behind Huddle01…

> “However, it did not respond to the initial disclosure and subsequent attempts. After one month, the exposed server remained accessible. It’s unclear how many other third parties might have accessed the data.”

**Security tips for affected users**

Knowing that the exposed information goes back about two weeks doesn’t help much, since anyone with access could have set up a data collector, listening in on the real-time data streaming and processing going on.

So, any Huddle01 users should:

*   Change passwords on accounts linked to the exposed email or username, and use strong, unique passwords for each site.
*   Set up two-factor authentication (2FA) wherever possible to prevent unauthorized access.
*   Monitor inboxes for suspicious messages. Be extra cautious of emails or texts asking for crypto transactions or sensitive information, as targeted phishing is a possibility. Be especially wary of social engineering attempts that reference details from meeting logs, such as who you spoke to or when meetings occurred.
*   Stay updated on official statements from Huddle01 or news coverage, as they may release more guidance later.

**Pro tip:** Did you know that you can submit suspicious messages like these to Malwarebytes Scam Guard, which instantly flags known scams?

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Video call app Huddle01 exposed 600K+ user logs 

The online world is changing fast. Every week, new scams, hacks, and tricks show how easy it’s become to turn everyday technology into a weapon. Tools made to help us work, connect, and stay safe are now being used to steal, spy, and deceive.
Hackers don’t always break systems anymore — they use them. They hide inside trusted apps, copy real websites, and trick people into giving up control

ThreatsDay Bulletin: $15B Crypto Bust, Satellite Spying, Billion-Dollar Smishing, Android RATs & More

We dive into the “last goodbye” messages sent via TikTok that lead victims to a crypto paywall scam.

This scam starts in your TikTok DMs. A brand-new account drops a melodramatic message—terminal illness, last goodbye, “I left you some assets.” At the bottom: a ready-made username and password for a crypto site you’ve never used. It’s designed to feel urgent and personal so you tap before you think. The whole funnel is built for phones: big tap targets, short copy, sticky chat bubbles—perfect for someone arriving straight from TikTok.

Thanks to our community for spotting this one. This exact scam was shared on our Malwarebytes subreddit by user Ok-Internal-2110, who posted a warning for TikTok users after encountering it firsthand.

I walked through the flow so you don’t have to.

****What the site shows vs. what actually exists****

**The illusion:**  
The moment you log in with the credentials from that TikTok DM, a glossy, mobile-friendly dashboard flashes a huge balance. There’s motion (numbers “update”), a believable “history,” and a big **Withdraw** button right where your thumb expects it. On a small screen, it looks like a real account with real money.

**The trap:**  
When you try to send that balance to your own wallet, the site asks for a withdrawal key belonging to the original account holder—the one from the DM. You don’t have that key, and support won’t give it to you. External withdrawals are a dead end by design.

**The detour they push you to take:**  
Support suggests using **Internal Transfer** instead. Conveniently, they also offer to help you create a new user “in seconds,” and this new account _will_ have its own key (because you created it). That makes it feel like you’re finally doing something legitimate: “I’ll just transfer the funds to my new account and then withdraw.”

**The paywall you only meet once you’re invested:**  
Internal transfers only work on “VIP” accounts. To upgrade to VIP, you must pay for a membership. Many victims pay here, assuming it’s a one-time hurdle before they can finally withdraw.

**Why nothing real ever leaves the site:**  
After you upgrade and attempt the internal transfer, the site can:

*   demand another fee (a “limit lift,” “tax,” or “security key”),
*   fail silently and push you to support, or
*   “complete” the transfer inside the fake ledger while still blocking any external withdrawal.

Victims end up **paying for the privilege of moving fake numbers between fake accounts**—then paying again to “unlock” a withdrawal that never happens.

**The scam in a nutshell**

This scam is built for volume. DMs and comments via a huge platform like TikTok seed the same gift-inheritance story to thousands of people at once.

Two things do the heavy lifting:

*   **Shock value**: That huge, unexpected number on the dashboard delivers a little jolt of surprise mixed with excitement, which lowers skepticism and pushes you into fast, emotional decision-making.
*   **Foot-in-the-door**: Small steps (log in > try withdraw > hit a roadblock > “just upgrade to VIP”) nudge you toward paying a fee that now feels reasonable.

With borrowed authenticity from a big on-screen balance, the scammers sell you VIP access to move that fake balance around internally while keeping you forever one step away from a real, on-chain withdrawal.

**Why do people keep paying up?**

*   The balance _looks_ real, so every new hurdle feels like bureaucracy, not fraud.
*   Paying once creates sunk cost: “I’ve already invested—one more step and I’m done.”
*   Internal movements inside their dashboard mimic progress, even though no on-chain transfer ever occurs.
*   A mobile flow encourages momentum—it’s always “one more tap” to finish.

Any system that makes you **pay to receive money that allegedly already belongs to you** is likely to be a scam.

The part most people miss is that you’re also handing over personal data. Even if you never send crypto, the site and the chat funnel collect a surprising amount of information, including your name, email, and phone number.

That data is valuable on its own and makes follow-up scams easier. Phishing that references the earlier “account,” extortion threats, fake “refund” offers that ask for remote access, SIM-swap attempts tied to your number, or simple resale of your details to other crews—and sadly, getting hooked once increases the odds you’ll be targeted again.

**How to recognize this family of scams**

*   You’re asked to log into a site with credentials someone else gave you.
*   A big balance appears instantly, but external withdrawals require a mystery key or never complete.
*   You’re told internal transfers are possible only after buying VIP or a membership.
*   The support bubble is quick to reply about upgrades and silent about on-chain withdrawals.
*   Any “proof” of funds exists only inside their dashboard—no public ledger, no small test withdrawal.

**How to stay safe**

There are safer ways to test claims (without losing money):

1.  **Never pay to “unlock” money.** If funds are yours, you don’t buy permission to move them.
2.  **Ask for on-chain proof.** Real balances live on a public ledger. If they can’t show it, it doesn’t exist.
3.  **Attempt a tiny withdrawal first** to a wallet you control—on legitimate platforms, that’s routine after verifying your identity (know you customer, or KYC) and enabling two-factor authentication (2FA).
4.  **Search the flow, not just the brand.** Scam kits change names and domains, but the “VIP to withdraw” mechanic stays the same.

What to do if you already engaged:

*   **Stop sending funds.** The next fee is not the last fee.
*   **Lock down accounts:** change passwords, enable 2FA, reset app passwords, and review recovery phone/email.
*   **Reduce future targeting:** consider a new email/number for financial accounts and remove your number from public profiles.
*   **Document everything** (screenshots, timestamps, any wallet addresses or TXIDs if you paid).
*   **Report** the TikTok account and the website, and file with your local cybercrime or consumer-protection channel.
*   **Tell someone close to you.** Shame keeps people quiet; silence helps the scammers.

If a platform says there’s a pile of crypto waiting for you but you must buy VIP to touch it, you’re not withdrawing funds; you’re buying a story. TikTok brings you in on your phone; the mobile UI keeps you tapping. Close the tab, report the DM, and remember: dashboards can be faked, public ledgers can’t.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 TikTok scam sells you access to your own fake money 

The malicious app required to make a “Pixnapping” attack work requires no permissions.

Android devices are vulnerable to a new attack that can covertly steal two-factor authentication codes, location timelines, and other private data in less than 30 seconds.

The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.

**Like Taking a Screenshot**

Pixnapping attacks begin with the malicious app invoking Android programming interfaces that cause the authenticator or other targeted apps to send sensitive information to the device screen. The malicious app then runs graphical operations on individual pixels of interest to the attacker. Pixnapping then exploits a side channel that allows the malicious app to map the pixels at those coordinates to letters, numbers, or shapes.

“Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping,” the researchers wrote on an informational website. “Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible. If an app has secret information that is not visible (e.g., it has a secret key that is stored but never shown on the screen), that information cannot be stolen by Pixnapping.”

The new attack class is reminiscent of GPU.zip, a 2023 attack that allowed malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites. It worked by exploiting side channels found in GPUs from all major suppliers. The vulnerabilities that GPU.zip exploited have never been fixed. Instead, the attack was blocked in browsers by limiting their ability to open iframes, an HTML element that allows one website (in the case of GPU.zip, a malicious one) to embed the contents of a site from a different domain.

Pixnapping targets the same side channel as GPU.zip, specifically the precise amount of time it takes for a given frame to be rendered on the screen.

“This allows a malicious app to steal sensitive information displayed by other apps or arbitrary websites, pixel by pixel,” Alan Linghao Wang, lead author of the research paper “Pixnapping: Bringing Pixel Stealing out of the Stone Age,” explained in an interview. “Conceptually, it is as if the malicious app was taking a screenshot of screen contents it should not have access to. Our end-to-end attacks simply measure the rendering time per frame of the graphical operations to determine whether the pixel was white or nonwhite.”

**Pixnapping in 3 Steps**

The attack occurs in three main steps. In the first, the malicious app invokes Android APIs that make calls to the app the attacker wants to snoop on. These calls can also be used to effectively scan an infected device for installed apps of interest. The calls can further cause the targeted app to display specific data it has access to, such as a message thread in a messaging app or a 2FA code for a specific site. This call causes the information to be sent to the Android rendering pipeline, the system that takes each app's pixels so they can be rendered on the screen. The Android-specific calls made include activities, intents, and tasks.

In the second step, Pixnapping performs graphical operations on individual pixels that the targeted app sent to the rendering pipeline. These operations choose the coordinates of target pixels the app wants to steal and begin to check if the color of those coordinates is white or nonwhite or, more generally, if the color is c or non-c (for an arbitrary color c).

“Suppose, for example, \[the attacker\] wants to steal a pixel that is part of the screen region where a 2FA character is known to be rendered by Google Authenticator,” Wang said. “This pixel is either white (if nothing was rendered there) or nonwhite (if part of a 2FA digit was rendered there). Then, conceptually, the attacker wants to cause some graphical operations whose rendering time is long if the target victim pixel is nonwhite and short if it is white. The malicious app does this by opening some malicious activities (i.e., windows) in front of the victim app that was opened in Step 1.”

The third step measures the amount of time required at each coordinate. By combining the times for each one, the attack can rebuild the images sent to the rendering pipeline one pixel at a time.

As Ars reader hotball put it in the comments below:

> Basically the attacker renders something transparent in front of the target app, then using a timing attack exploiting the GPU's graphical data compression to try finding out the color of the pixels. It's not something as simple as "give me the pixels of another app showing on the screen right now." That's why it takes time and can be too slow to fit within the 30 seconds window of the Google Authenticator app.

In an online interview, paper coauthor Ricardo Paccagnella described the attack in more detail:

> Step 1: The malicious app invokes a target app to cause some sensitive visual content to be rendered.
> 
> Step 2: The malicious app uses Android APIs to "draw over" that visual content and cause a side channel (in our case, GPU.zip) to leak as a function of the color of individual pixels rendered in Step 1 (e.g., activate only if the pixel color is c).
> 
> Step 3: The malicious app monitors the side effects of Step 2 to infer, e.g., if the color of those pixels was c or not, one pixel at a time.
> 
> Steps 2 and 3 can be implemented differently depending on the side channel that the attacker wants to exploit. In our instantiations on Google and Samsung phones, we exploited the GPU.zip side channel. When using GPU.zip, measuring the rendering time per frame was sufficient to determine if the color of each pixel is c or not. Future instantiations of the attack may use other side channels where controlling memory management and accessing fine-grained timers may be necessary (see Section 3.3 of the paper). Pixnapping would still work then: The attacker would just need to change how Steps 2 and 3 are implemented.

The amount of time required to perform the attack depends on several variables, including how many coordinates need to be measured. In some cases, there’s no hard deadline for obtaining the information the attacker wants to steal. In other cases—such as stealing a 2FA code—every second counts, since each one is valid for only 30 seconds. In the paper, the researchers explained:

> To meet the strict 30-second deadline for the attack, we also reduce the number of samples per target pixel to 16 (compared to the 34 or 64 used in earlier attacks) and decrease the idle time between pixel leaks from 1.5 seconds to 70 milliseconds. To ensure that the attacker has the full 30 seconds to leak the 2FA code, our implementation waits for the beginning of a new 30-second global time interval, determined using the system clock.
> 
> ... We use our end-to-end attack to leak 100 different 2FA codes from Google Authenticator on each of our Google Pixel phones. Our attack correctly recovers the full 6-digit 2FA code in 73%, 53%, 29%, and 53% of the trials on the Pixel 6, 7, 8, and 9, respectively. The average time to recover each 2FA code is 14.3, 25.8, 24.9, and 25.3 seconds for the Pixel 6, Pixel 7, Pixel 8, and Pixel 9, respectively. We are unable to leak 2FA codes within 30 seconds using our implementation on the Samsung Galaxy S25 device due to significant noise. We leave further investigation of how to tune our attack to work on this device to future work.

In an email, a Google representative wrote, “We issued a patch for CVE-2025-48561 in the September Android security bulletin, which partially mitigates this behavior. We are issuing an additional patch for this vulnerability in the December Android security bulletin. We have not seen any evidence of in-the-wild exploitation.”

Pixnapping is useful research in that it demonstrates the limitations of Google's security and privacy assurances that one installed app can’t access data belonging to another app. The challenges in implementing the attack to steal useful data in real-world scenarios, however, are likely to be significant. In an age when teenagers can steal secrets from Fortune 500 companies simply by asking nicely, the utility of more complicated and limited attacks is probably of less value.

_This story originally appeared on_ _Ars Technica._

A New Attack Lets Hackers Steal 2-Factor Authentication Codes From Android Phones

The proof-of-concept exploit allows an attacker to steal sensitive data from Gmail, Google Accounts, Google Authenticator, Google Maps, Signal, and Venmo.

Pixnapping Attack Lets Attackers Steal 2FA on Android

Gone are the days when extortion was only the plot line of crime dramas—today, these threatening tactics target anyone with a smartphone, especially Gen Z.

Gone are the days when extortion was only the plot line of crime dramas—today, these threatening tactics target anyone with a smartphone. As AI makes fake voices and videos sound and look real, high-pressure plays like sextortion, deepfakes, and virtual kidnapping feel more believable than ever before, tricking even the most digitally savvy users. Gen Z and Millennials are most at risk, accounting for two in three victims of extortion scams. These scammers prey on what’s personal, wreaking havoc on their victims’ privacy, reputations, and peace of mind.

Our latest research shows that one in three mobile users has been targeted by an extortion scam, and nearly one in five has fallen victim. Gen Z is hit hardest: more than half (58%) have been targets, and over 1 in 4 (28%) have been a victim. Sextortion—threatening to leak nude photos or videos or expose pornographic search history— is particularly notable, with one in six mobile users reporting they’ve been a target. Among Gen Z, that number jumps to 38%.

**Five things to know about mobile extortion scams******1\. Who’s most at risk: Gen Z and Millennials with a risk tolerant profile****

Compared to victims and targets of other types of mobile scams, extortion victims tend to be younger, male, and mobile-first. Their profile:

*   **Young:** 69% of victims and 64% of targets are Gen Z or Millennial (vs. 52%/40% of victims and targets of other types of scams, respectively)
*   **Male:** 65% of victims and 60% of targets are male (vs. 48%/45%)
*   **Parents:** 45% of victims and 41% of targets are parents (vs. 36%/26%)
*   **Minorities:** 53% of victims are non-white (vs. 39%)
*   **Mobile-first:** 52% of victims and 46% of targets agree _“I’m more likely to click a link on my phone than on my laptop”_ (vs. 42%/36%)

However, this simply shows how targets and victims skew. Behaviors typically play a bigger role in overall risk.

**2\. What the damage looks like: emotional and deeply personal**

Extortion criminals use personal, high-stakes threats in their scams. Victims and targets of extortion scams in our survey report experiences ranging from scammers threatening to expose nude photos and videos to claims that a family member was in an accident.

These personalized, high-pressure threats make extortion victims especially vulnerable, and while victims of all mobile scams suffer serious emotional, financial, and functional fallout at the hands of their scammers, extortion victims experience outsized impact:

*   **Nearly 9 in 10** extortion victims reported **emotional harm** because of the scam they experienced
*   **35%** experienced **blackmail or harassment**
*   **21%** experienced **damage to their reputation**
*   **19%** faced **consequences at work or school**

Even when targets don’t fall victim, the threats alone can cause emotional harm:

> “I didn’t lose anything, I was just **scared** because they wanted to inform all my friends, family, and employers how perverted I was because I supposedly watched porn.”   
> 
> —Gen Z survey respondent, DACH region

**3\. Why it’s getting worse: AI is raising the stakes**

AI is increasingly good at making fake feel real, giving criminals even more of an advantage when manipulating and extorting victims. One in five mobile users has been the target of a deepfake scam and nearly as many have encountered a virtual kidnapping scam (a decades-old tactic that now often uses AI voice cloning). Two in five (43%) Gen Z users have been a target of one of these.

 Who AI scams hit: Victims and targets skew Gen Z and iPhone users with a deep digital footprint. This could leave their personal information, images, or even voice more accessible to cybercriminals who want to use it as part of a scam.

*   **Gen Z:** 45% (vs. 31% for extortion victims and targets overall)
*   **iPhone users:** 62% (vs. 51% overall)
*   **Data sharers\*:** 81% (vs. 71% overall)

_\*Agree with the statement: “I understand that sharing personal information with apps, on social media, or on messaging services can be risky, but I am okay with that risk”_

So why might exposure be higher for Gen Z? Digital natives are most entrenched in mobile-first behavior and most active in low-oversight casual commerce (DMing for deals, using buy/sell/trade groups, clicking on ads to purchase or download, sending money for a future service). They also show up more on alternative platforms like Discord, Tumblr, Twitch, and Mastodon, where identity checks are lighter and parasocial trust runs high, creating a sweet spot for scammers. 

> “The scammer makes you believe it is a legit conversation. They/He/She talk to you like they know you. Trying to convince you they are supporting/helping you in some way to fix something. When they are just fishing for more information!”
> 
> _— Gen Z US Survey Respondent_   

For victims of AI-driven scams, the fallout is even more extreme: 32% suffered reputation damage (vs. 21% for extortion victims overall), 29% suffered work/school consequences (vs. 11%), 24% had their personal information stolen (vs. 14%), and 21% had financial accounts opened in their name (vs. 13%), underscoring the threat of these evolving scams. 

**4\. Where the risk lives: constant, cross-channel exposure   **

Scammers know the more they approach a target, the more likely they are to create a victim. 78% of extortion victims and 63% of targets experience scam attempts daily (vs. 44%/36% in other scam groups), driving alert fatigue and making it more likely that a scammer will slip through the cracks.

Extortion victims and targets also over-index on using informal buying and selling channels—spaces like social media where identity is fuzzy, protections are lacking, and decisions are quick. Being in more casual spaces more frequently increases the odds of a scam landing for anyone.

**5\. How mindset shapes risk: overconfident and under-protected**

Seven in ten extortion victims say they’re confident they can spot a scam, more than half believe they could recoup any financial losses, and most trust their phone’s safety features. At the same time, many victims and targets simply don’t worry about mobile scams at all, resulting in a lack of protective measures. Adoption of security basics (security software, strong/unique passwords, multi-factor authentication, timely system updates, permission hygiene, data backups) remains low, even after painful firsthand experience.

**How to cut the risk**

Most of us use our phones to shop, find deals, and pay—and we deserve to be able to do that safely. Adopting preventative security measures (such as using mobile security software), practicing good mobile hygiene (such as checking app permissions), and remembering **STOP**, our simple scam response framework, can keep scammers at bay: 

**S**—Slow down: Don’t let urgency or pressure push you into action. Take a breath before responding. Legitimate businesses like your bank or credit card don’t push immediate action.

**T**—Test them: If you answered the phone and are feeling panicked about the situation, likely involving a family member or friend, ask a question only the real person would know—something that can’t be found online.  

**O**—Opt out: If it feels off, hang up or end the conversation. You can always say the connection dropped.

**P**—Prove it: Confirm the person is who they say they are by reaching out yourself through a trusted number, website, or method you’ve used before.

The criminals behind extortion scams pour time and money into targeting their victims, constantly evolving their tactics to make the scams more believable and hard-hitting. If you’ve been the victim of an extortion scam, sharing your story can help others spot the signs before it’s too late, reduce the stigma of being a victim, and put the shame where it belongs: on the criminals.

As Malwarebytes Global Head of Scam and AI Research Shahak Shalev puts it:

> “If we can remove the stigma and silence around scams, I think we can help everyone take a step back and pause before acting on one of these threats”

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 AI-driven scams are preying on Gen Z’s digital lives​ 

Imagine if a rogue app could glimpse tiny bits of your screen—even the parts you thought were secure, like your 2FA codes.

Researchers at US universities have demonstrated how a malicious Android app can trick the system into leaking pixel data. That may sound harmless, but imagine if a malicious app on your Android device could glimpse tiny bits of information on your screen—even the parts you thought were secure, like your two-factor authentication (2FA) codes.

That’s the chilling idea behind “Pixnapping” attacks described in the research paper coming from University of California (Berkeley and San Diego), University of Washington, and Carnegie Mellon University.

A pixel is one of the tiny colored dots that make up what you see on your device’s display. The researchers built a pixel-stealing framework that bypasses all browser protections and can even lift secrets from non-browser apps such as Google Maps, Signal, and Venmo—as well as websites like Gmail. It can even steal 2FA codes from Google Authenticator.

Pixnapping is a classic side-channel attack—stealing secrets not by breaking into software, but by observing physical clues that devices give off during normal use. Pixel-stealing ideas date back to 2013, but this research shows new tricks for extracting sensitive data by measuring how specific pixels behave.

The researchers tested their framework on modern Google Pixel phones (6, 7, 8, 9) and a Samsung Galaxy S25 and succeeded in stealing secrets from both browsers and non-browser apps. They disclosed the findings to Google and Samsung in early 2025. As of October 2025, Google has patched part of the vulnerability, but some workarounds remain and both companies are still working on a full fix. Other Android devices may also be vulnerable.

The technical knowledge required to perform such an attack is enormous. This isn’t “script kiddie” territory: Attackers would need deep knowledge of Android internals and graphics hardware. But once developed, a Pixnapping app could be disguised as something harmless and distributed like any other piece of Android malware.

To perform an attack, someone would have to convince or trick the target into installing the malicious app on their device.

This app abuses Android Intents—a fundamental part of how apps communicate and interact with each other on Android devices. You can think of an intent like a message, or request, that one app sends either to another app or to the Android operating system itself, asking for something to happen.

The malicious app’s programming will stack nearly transparent windows over the app it wants to spy on and watch for subtle timing signals that depend on pixel color.

It doesn’t take long—the paper shows it can steal temporary 2FA codes from Google Authenticator in under 30 seconds. Once stolen, the data is sent to a command-and-control (C2) server controlled by the attacker.

**How to stay safe**

From the steps it takes to perform such an attack we can list some steps that can keep your 2FA codes and other secrets safe.

1.  **Update regularly:** Make sure your device and apps have the latest security updates. Google and Samsung are rolling out fixes; don’t ignore those update prompts. The underlying vulnerability is tracked as CVE-2025-48561.
2.  **Be cautious installing apps:** Only install apps from trusted sources like Google Play and check reviews and permissions before installing. Avoid sideloading unknown APKs and ask yourself if the permissions an app asks for are really needed for what you want it to do.
3.  **Review permissions:** Android improved its permission system, but check regularly what apps can do, and don’t hesitate to remove permissions of the ones you don’t use often.
4.  **Use app screenshots wisely:** Don’t store or display sensitive info (like codes, addresses, or logins) in apps unless needed, and close apps after use.
5.  **Monitor security news:** Look for announcements from Google and Samsung about patches for this vulnerability, and act on them.
6.  **Enable Play Protect:** Keep Play Protect active to help spot malicious apps before they’re installed.
7.  **Use up-to-date real-time anti-malware protection** **on your Android device,** preferably with a web protection module.

If you’re worried about your 2FA codes getting stolen, consider switching to hardware token 2FA options.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#android