The malicious app required to make a “Pixnapping” attack work requires no permissions.

Android devices are vulnerable to a new attack that can covertly steal two-factor authentication codes, location timelines, and other private data in less than 30 seconds.

The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.

**Like Taking a Screenshot**

Pixnapping attacks begin with the malicious app invoking Android programming interfaces that cause the authenticator or other targeted apps to send sensitive information to the device screen. The malicious app then runs graphical operations on individual pixels of interest to the attacker. Pixnapping then exploits a side channel that allows the malicious app to map the pixels at those coordinates to letters, numbers, or shapes.

“Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping,” the researchers wrote on an informational website. “Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible. If an app has secret information that is not visible (e.g., it has a secret key that is stored but never shown on the screen), that information cannot be stolen by Pixnapping.”

The new attack class is reminiscent of GPU.zip, a 2023 attack that allowed malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites. It worked by exploiting side channels found in GPUs from all major suppliers. The vulnerabilities that GPU.zip exploited have never been fixed. Instead, the attack was blocked in browsers by limiting their ability to open iframes, an HTML element that allows one website (in the case of GPU.zip, a malicious one) to embed the contents of a site from a different domain.

Pixnapping targets the same side channel as GPU.zip, specifically the precise amount of time it takes for a given frame to be rendered on the screen.

“This allows a malicious app to steal sensitive information displayed by other apps or arbitrary websites, pixel by pixel,” Alan Linghao Wang, lead author of the research paper “Pixnapping: Bringing Pixel Stealing out of the Stone Age,” explained in an interview. “Conceptually, it is as if the malicious app was taking a screenshot of screen contents it should not have access to. Our end-to-end attacks simply measure the rendering time per frame of the graphical operations to determine whether the pixel was white or nonwhite.”

**Pixnapping in 3 Steps**

The attack occurs in three main steps. In the first, the malicious app invokes Android APIs that make calls to the app the attacker wants to snoop on. These calls can also be used to effectively scan an infected device for installed apps of interest. The calls can further cause the targeted app to display specific data it has access to, such as a message thread in a messaging app or a 2FA code for a specific site. This call causes the information to be sent to the Android rendering pipeline, the system that takes each app's pixels so they can be rendered on the screen. The Android-specific calls made include activities, intents, and tasks.

In the second step, Pixnapping performs graphical operations on individual pixels that the targeted app sent to the rendering pipeline. These operations choose the coordinates of target pixels the app wants to steal and begin to check if the color of those coordinates is white or nonwhite or, more generally, if the color is c or non-c (for an arbitrary color c).

“Suppose, for example, \[the attacker\] wants to steal a pixel that is part of the screen region where a 2FA character is known to be rendered by Google Authenticator,” Wang said. “This pixel is either white (if nothing was rendered there) or nonwhite (if part of a 2FA digit was rendered there). Then, conceptually, the attacker wants to cause some graphical operations whose rendering time is long if the target victim pixel is nonwhite and short if it is white. The malicious app does this by opening some malicious activities (i.e., windows) in front of the victim app that was opened in Step 1.”

The third step measures the amount of time required at each coordinate. By combining the times for each one, the attack can rebuild the images sent to the rendering pipeline one pixel at a time.

As Ars reader hotball put it in the comments below:

> Basically the attacker renders something transparent in front of the target app, then using a timing attack exploiting the GPU's graphical data compression to try finding out the color of the pixels. It's not something as simple as "give me the pixels of another app showing on the screen right now." That's why it takes time and can be too slow to fit within the 30 seconds window of the Google Authenticator app.

In an online interview, paper coauthor Ricardo Paccagnella described the attack in more detail:

> Step 1: The malicious app invokes a target app to cause some sensitive visual content to be rendered.
> 
> Step 2: The malicious app uses Android APIs to "draw over" that visual content and cause a side channel (in our case, GPU.zip) to leak as a function of the color of individual pixels rendered in Step 1 (e.g., activate only if the pixel color is c).
> 
> Step 3: The malicious app monitors the side effects of Step 2 to infer, e.g., if the color of those pixels was c or not, one pixel at a time.
> 
> Steps 2 and 3 can be implemented differently depending on the side channel that the attacker wants to exploit. In our instantiations on Google and Samsung phones, we exploited the GPU.zip side channel. When using GPU.zip, measuring the rendering time per frame was sufficient to determine if the color of each pixel is c or not. Future instantiations of the attack may use other side channels where controlling memory management and accessing fine-grained timers may be necessary (see Section 3.3 of the paper). Pixnapping would still work then: The attacker would just need to change how Steps 2 and 3 are implemented.

The amount of time required to perform the attack depends on several variables, including how many coordinates need to be measured. In some cases, there’s no hard deadline for obtaining the information the attacker wants to steal. In other cases—such as stealing a 2FA code—every second counts, since each one is valid for only 30 seconds. In the paper, the researchers explained:

> To meet the strict 30-second deadline for the attack, we also reduce the number of samples per target pixel to 16 (compared to the 34 or 64 used in earlier attacks) and decrease the idle time between pixel leaks from 1.5 seconds to 70 milliseconds. To ensure that the attacker has the full 30 seconds to leak the 2FA code, our implementation waits for the beginning of a new 30-second global time interval, determined using the system clock.
> 
> ... We use our end-to-end attack to leak 100 different 2FA codes from Google Authenticator on each of our Google Pixel phones. Our attack correctly recovers the full 6-digit 2FA code in 73%, 53%, 29%, and 53% of the trials on the Pixel 6, 7, 8, and 9, respectively. The average time to recover each 2FA code is 14.3, 25.8, 24.9, and 25.3 seconds for the Pixel 6, Pixel 7, Pixel 8, and Pixel 9, respectively. We are unable to leak 2FA codes within 30 seconds using our implementation on the Samsung Galaxy S25 device due to significant noise. We leave further investigation of how to tune our attack to work on this device to future work.

In an email, a Google representative wrote, “We issued a patch for CVE-2025-48561 in the September Android security bulletin, which partially mitigates this behavior. We are issuing an additional patch for this vulnerability in the December Android security bulletin. We have not seen any evidence of in-the-wild exploitation.”

Pixnapping is useful research in that it demonstrates the limitations of Google's security and privacy assurances that one installed app can’t access data belonging to another app. The challenges in implementing the attack to steal useful data in real-world scenarios, however, are likely to be significant. In an age when teenagers can steal secrets from Fortune 500 companies simply by asking nicely, the utility of more complicated and limited attacks is probably of less value.

_This story originally appeared on_ _Ars Technica._

A New Attack Lets Hackers Steal 2-Factor Authentication Codes From Android Phones

The proof-of-concept exploit allows an attacker to steal sensitive data from Gmail, Google Accounts, Google Authenticator, Google Maps, Signal, and Venmo.

Pixnapping Attack Lets Attackers Steal 2FA on Android

Gone are the days when extortion was only the plot line of crime dramas—today, these threatening tactics target anyone with a smartphone, especially Gen Z.

Gone are the days when extortion was only the plot line of crime dramas—today, these threatening tactics target anyone with a smartphone. As AI makes fake voices and videos sound and look real, high-pressure plays like sextortion, deepfakes, and virtual kidnapping feel more believable than ever before, tricking even the most digitally savvy users. Gen Z and Millennials are most at risk, accounting for two in three victims of extortion scams. These scammers prey on what’s personal, wreaking havoc on their victims’ privacy, reputations, and peace of mind.

Our latest research shows that one in three mobile users has been targeted by an extortion scam, and nearly one in five has fallen victim. Gen Z is hit hardest: more than half (58%) have been targets, and over 1 in 4 (28%) have been a victim. Sextortion—threatening to leak nude photos or videos or expose pornographic search history— is particularly notable, with one in six mobile users reporting they’ve been a target. Among Gen Z, that number jumps to 38%.

**Five things to know about mobile extortion scams******1\. Who’s most at risk: Gen Z and Millennials with a risk tolerant profile****

Compared to victims and targets of other types of mobile scams, extortion victims tend to be younger, male, and mobile-first. Their profile:

*   **Young:** 69% of victims and 64% of targets are Gen Z or Millennial (vs. 52%/40% of victims and targets of other types of scams, respectively)
*   **Male:** 65% of victims and 60% of targets are male (vs. 48%/45%)
*   **Parents:** 45% of victims and 41% of targets are parents (vs. 36%/26%)
*   **Minorities:** 53% of victims are non-white (vs. 39%)
*   **Mobile-first:** 52% of victims and 46% of targets agree _“I’m more likely to click a link on my phone than on my laptop”_ (vs. 42%/36%)

However, this simply shows how targets and victims skew. Behaviors typically play a bigger role in overall risk.

**2\. What the damage looks like: emotional and deeply personal**

Extortion criminals use personal, high-stakes threats in their scams. Victims and targets of extortion scams in our survey report experiences ranging from scammers threatening to expose nude photos and videos to claims that a family member was in an accident.

These personalized, high-pressure threats make extortion victims especially vulnerable, and while victims of all mobile scams suffer serious emotional, financial, and functional fallout at the hands of their scammers, extortion victims experience outsized impact:

*   **Nearly 9 in 10** extortion victims reported **emotional harm** because of the scam they experienced
*   **35%** experienced **blackmail or harassment**
*   **21%** experienced **damage to their reputation**
*   **19%** faced **consequences at work or school**

Even when targets don’t fall victim, the threats alone can cause emotional harm:

> “I didn’t lose anything, I was just **scared** because they wanted to inform all my friends, family, and employers how perverted I was because I supposedly watched porn.”   
> 
> —Gen Z survey respondent, DACH region

**3\. Why it’s getting worse: AI is raising the stakes**

AI is increasingly good at making fake feel real, giving criminals even more of an advantage when manipulating and extorting victims. One in five mobile users has been the target of a deepfake scam and nearly as many have encountered a virtual kidnapping scam (a decades-old tactic that now often uses AI voice cloning). Two in five (43%) Gen Z users have been a target of one of these.

 Who AI scams hit: Victims and targets skew Gen Z and iPhone users with a deep digital footprint. This could leave their personal information, images, or even voice more accessible to cybercriminals who want to use it as part of a scam.

*   **Gen Z:** 45% (vs. 31% for extortion victims and targets overall)
*   **iPhone users:** 62% (vs. 51% overall)
*   **Data sharers\*:** 81% (vs. 71% overall)

_\*Agree with the statement: “I understand that sharing personal information with apps, on social media, or on messaging services can be risky, but I am okay with that risk”_

So why might exposure be higher for Gen Z? Digital natives are most entrenched in mobile-first behavior and most active in low-oversight casual commerce (DMing for deals, using buy/sell/trade groups, clicking on ads to purchase or download, sending money for a future service). They also show up more on alternative platforms like Discord, Tumblr, Twitch, and Mastodon, where identity checks are lighter and parasocial trust runs high, creating a sweet spot for scammers. 

> “The scammer makes you believe it is a legit conversation. They/He/She talk to you like they know you. Trying to convince you they are supporting/helping you in some way to fix something. When they are just fishing for more information!”
> 
> _— Gen Z US Survey Respondent_   

For victims of AI-driven scams, the fallout is even more extreme: 32% suffered reputation damage (vs. 21% for extortion victims overall), 29% suffered work/school consequences (vs. 11%), 24% had their personal information stolen (vs. 14%), and 21% had financial accounts opened in their name (vs. 13%), underscoring the threat of these evolving scams. 

**4\. Where the risk lives: constant, cross-channel exposure   **

Scammers know the more they approach a target, the more likely they are to create a victim. 78% of extortion victims and 63% of targets experience scam attempts daily (vs. 44%/36% in other scam groups), driving alert fatigue and making it more likely that a scammer will slip through the cracks.

Extortion victims and targets also over-index on using informal buying and selling channels—spaces like social media where identity is fuzzy, protections are lacking, and decisions are quick. Being in more casual spaces more frequently increases the odds of a scam landing for anyone.

**5\. How mindset shapes risk: overconfident and under-protected**

Seven in ten extortion victims say they’re confident they can spot a scam, more than half believe they could recoup any financial losses, and most trust their phone’s safety features. At the same time, many victims and targets simply don’t worry about mobile scams at all, resulting in a lack of protective measures. Adoption of security basics (security software, strong/unique passwords, multi-factor authentication, timely system updates, permission hygiene, data backups) remains low, even after painful firsthand experience.

**How to cut the risk**

Most of us use our phones to shop, find deals, and pay—and we deserve to be able to do that safely. Adopting preventative security measures (such as using mobile security software), practicing good mobile hygiene (such as checking app permissions), and remembering **STOP**, our simple scam response framework, can keep scammers at bay: 

**S**—Slow down: Don’t let urgency or pressure push you into action. Take a breath before responding. Legitimate businesses like your bank or credit card don’t push immediate action.

**T**—Test them: If you answered the phone and are feeling panicked about the situation, likely involving a family member or friend, ask a question only the real person would know—something that can’t be found online.  

**O**—Opt out: If it feels off, hang up or end the conversation. You can always say the connection dropped.

**P**—Prove it: Confirm the person is who they say they are by reaching out yourself through a trusted number, website, or method you’ve used before.

The criminals behind extortion scams pour time and money into targeting their victims, constantly evolving their tactics to make the scams more believable and hard-hitting. If you’ve been the victim of an extortion scam, sharing your story can help others spot the signs before it’s too late, reduce the stigma of being a victim, and put the shame where it belongs: on the criminals.

As Malwarebytes Global Head of Scam and AI Research Shahak Shalev puts it:

> “If we can remove the stigma and silence around scams, I think we can help everyone take a step back and pause before acting on one of these threats”

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 AI-driven scams are preying on Gen Z’s digital lives​ 

Imagine if a rogue app could glimpse tiny bits of your screen—even the parts you thought were secure, like your 2FA codes.

Researchers at US universities have demonstrated how a malicious Android app can trick the system into leaking pixel data. That may sound harmless, but imagine if a malicious app on your Android device could glimpse tiny bits of information on your screen—even the parts you thought were secure, like your two-factor authentication (2FA) codes.

That’s the chilling idea behind “Pixnapping” attacks described in the research paper coming from University of California (Berkeley and San Diego), University of Washington, and Carnegie Mellon University.

A pixel is one of the tiny colored dots that make up what you see on your device’s display. The researchers built a pixel-stealing framework that bypasses all browser protections and can even lift secrets from non-browser apps such as Google Maps, Signal, and Venmo—as well as websites like Gmail. It can even steal 2FA codes from Google Authenticator.

Pixnapping is a classic side-channel attack—stealing secrets not by breaking into software, but by observing physical clues that devices give off during normal use. Pixel-stealing ideas date back to 2013, but this research shows new tricks for extracting sensitive data by measuring how specific pixels behave.

The researchers tested their framework on modern Google Pixel phones (6, 7, 8, 9) and a Samsung Galaxy S25 and succeeded in stealing secrets from both browsers and non-browser apps. They disclosed the findings to Google and Samsung in early 2025. As of October 2025, Google has patched part of the vulnerability, but some workarounds remain and both companies are still working on a full fix. Other Android devices may also be vulnerable.

The technical knowledge required to perform such an attack is enormous. This isn’t “script kiddie” territory: Attackers would need deep knowledge of Android internals and graphics hardware. But once developed, a Pixnapping app could be disguised as something harmless and distributed like any other piece of Android malware.

To perform an attack, someone would have to convince or trick the target into installing the malicious app on their device.

This app abuses Android Intents—a fundamental part of how apps communicate and interact with each other on Android devices. You can think of an intent like a message, or request, that one app sends either to another app or to the Android operating system itself, asking for something to happen.

The malicious app’s programming will stack nearly transparent windows over the app it wants to spy on and watch for subtle timing signals that depend on pixel color.

It doesn’t take long—the paper shows it can steal temporary 2FA codes from Google Authenticator in under 30 seconds. Once stolen, the data is sent to a command-and-control (C2) server controlled by the attacker.

**How to stay safe**

From the steps it takes to perform such an attack we can list some steps that can keep your 2FA codes and other secrets safe.

1.  **Update regularly:** Make sure your device and apps have the latest security updates. Google and Samsung are rolling out fixes; don’t ignore those update prompts. The underlying vulnerability is tracked as CVE-2025-48561.
2.  **Be cautious installing apps:** Only install apps from trusted sources like Google Play and check reviews and permissions before installing. Avoid sideloading unknown APKs and ask yourself if the permissions an app asks for are really needed for what you want it to do.
3.  **Review permissions:** Android improved its permission system, but check regularly what apps can do, and don’t hesitate to remove permissions of the ones you don’t use often.
4.  **Use app screenshots wisely:** Don’t store or display sensitive info (like codes, addresses, or logins) in apps unless needed, and close apps after use.
5.  **Monitor security news:** Look for announcements from Google and Samsung about patches for this vulnerability, and act on them.
6.  **Enable Play Protect:** Keep Play Protect active to help spot malicious apps before they’re installed.
7.  **Use up-to-date real-time anti-malware protection** **on your Android device,** preferably with a web protection module.

If you’re worried about your 2FA codes getting stolen, consider switching to hardware token 2FA options.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Pixel-stealing “Pixnapping” attack targets Android devices 

Spanish Guardia Civil and Group-IB arrest 'GoogleXcoder,' the 25-year-old Brazilian mastermind of the GXC Team, for selling AI-powered phishing kits and malware used to steal millions from banks across the US, UK, Spain, and Brazil.

The Spanish Guardia Civil, with assistance from the research firm Group-IB, has successfully dismantled one of the world’s most active online crime networks- the GXC Team. This nationwide operation, which saw six coordinated searches across Spain, ended in the arrest of the alleged mastermind on May 20, 2025.

The individual arrested in San Vicente de la Barquera, Cantabria, is a 25-year-old Brazilian national known online as GoogleXcoder. Authorities also detained other criminals who were actively using his illegal tools. It must be noted that over the last year, this group’s actions are believed to have caused financial losses amounting to millions of euros.

Suspects being detained (Source: Group-IB)

****Selling Crime Tools as a Service****

Emerging in early 2023, the suspect GoogleXcoder ran a Crime-as-a-Service (CaaS) operation. This means he was not always the one robbing people, but instead, he sold the specialised tools criminals needed to carry out massive scams.

These dangerous tools targeted institutions like banks, transportation companies, and online shops in several countries, including Spain, Slovakia, the UK, the US, and Brazil. He offered these kits on underground channels, even having a Telegram group shamelessly named “Steal everything from grandmas,” which shows their lack of conscience.

The service offered multiple high-tech tools, including:

**Phishing Kits:** These kits allowed other criminals to create fake websites that perfectly copied the online pages of 10 Spanish banks and more than 30 international institutions and government portals.

**Android Malware:** This was a malicious program disguised as a simple banking app. Once installed, it became the phone’s main messaging application and could steal One-Time Passwords (OTPs), which are the security codes you get via text.

**AI Voice Scams:** An innovative addition, these tools automatically generate realistic-sounding voice calls to trick victims into giving up their Two-Factor Authentication (2FA) codes, the extra security layer we rely on.

The Threat Actor’s Profile (Source: Group-IB)

****The Investigation and Arrest****

The operation was only possible after Group-IB mapped out the team’s entire setup, finding over 250 fake scam sites and nine different types of bad software. This intelligence was shared with the Guardia Civil’s Department against Cybercrime.

Investigation further revealed that GoogleXcoder lived as a digital nomad, constantly moving between Spanish regions and using stolen identities to rent homes and get new phone lines, making him difficult to track.

Following the evidence trail, the Guardia Civil conducted raids not only in Cantabria but also in cities like Valladolid, Barcelona, and Zaragoza. Authorities seized electronic devices containing the source code for the fake websites, records of communication with his criminal clients, and financial details. The year-long investigation also tracked and recovered stolen funds that had been moved through various digital currencies, finally dismantling the channels used to run the schemes.

“The ‘GXC Team’ case demonstrates how artificial intelligence can be misused to industrialise fraud and impersonation on an unprecedented scale. Group-IB was the first to investigate this AI-enabled framework, allowing us to support law enforcement in preventing its spread and mitigating its impact,” Group-IB’s head of cybercrime investigation in Europe, Anton Ushakov, concluded in the blog post.

Police Bust GXC Team, One of the Most Active Cybercrime Networks

Android devices from Google and Samsung have been found vulnerable to a side-channel attack that could be exploited to covertly steal two-factor authentication (2FA) codes, Google Maps timelines, and other sensitive data without the users' knowledge pixel-by-pixel.
The attack has been codenamed Pixnapping by a group of academics from the University of California (Berkeley), University of

Vulnerability / Mobile Security

Android devices from Google and Samsung have been found vulnerable to a side-channel attack that could be exploited to covertly steal two-factor authentication (2FA) codes, Google Maps timelines, and other sensitive data without the users' knowledge pixel-by-pixel.

The attack has been codenamed **Pixnapping** by a group of academics from the University of California (Berkeley), University of Washington, University of California (San Diego), and Carnegie Mellon University.

Pixnapping, at its core, is a pixel-stealing framework aimed at Android devices in a manner that bypasses browser mitigations and even siphons data from non-browser apps like Google Authenticator by taking advantage of Android APIs and a hardware side-channel, allowing a malicious app to weaponize the technique to capture 2FA codes in under 30 seconds.

"Our key observation is that Android APIs enable an attacker to create an analog to \[Paul\] Stone-style attacks outside of the browser," the researchers said in a paper. "Specifically, a malicious app can force victim pixels into the rendering pipeline via Android intents and compute on those victim pixels using a stack of semi-transparent Android activities."

The study specifically focused on five devices from Google and Samsung running Android versions 13 to 16, and while it's not clear if Android devices from other original equipment manufacturers (OEMs) are susceptible to Pixnapping, the underlying methodology necessary to pull off the attack is present in all devices running the mobile operating system.

What makes the novel attack significant is that any Android app can be used to execute it, even if the application does not have any special permissions attached via its manifest file. However, the attack presupposes that the victim has been convinced by some other means to install and launch the app.

The side-channel that makes Pixnapping possible is GPU.zip, which was disclosed by some of the same researchers back in September 2023. The attack essentially takes advantage of a compression feature in modern integrated GPUs (iGPUs) to perform cross-origin pixel stealing attacks in the browser using SVG filters.

Overview of our pixel stealing framework

The latest class of attack combines this with Android's window blur API to leak rendering data and enable theft from victim apps. In order to accomplish this, a malicious Android app is used to send victim app pixels into the rendering pipeline and overlay semi-transparent activities using intents – an Android software mechanism that allows for navigation between applications and activities.

In other words, the idea is to invoke a target app containing information of interest (e.g., 2FA codes) and cause the data to be submitted for rendering, following which the rogue app installed the device isolates the coordinates of a target pixel (i.e., ones which contain the 2FA code) and induces a stack of semi-transparent activities to mask, enlarge, and transmit that pixel using the side-channel. This step is then repeated for every pixel pushed to the rendering pipeline.

The researchers said Android is vulnerable to Pixnapping due to a combination of three factors that allow an app to -

*   Send another app's activities to the Android rendering pipeline (e.g., with intents)
*   Induce graphical operations (e.g., blur) on pixels displayed by another app's activities
*   Measure the pixel color-dependent side effects of graphical operations

Google is tracking the issue under the CVE identifier CVE-2025-48561 (CVSS score: 5.5). Patches for the vulnerability were issued by the tech giant as part of its September 2025 Android Security Bulletin, with Google noting that: "An application requesting lots and lots of blurs: (1) enables pixel stealing by measuring how long it takes to perform a blur across windows, \[and\] (2) probably isn't very valid anyways."

However, it has since come to light that there exists a workaround that can be used to re-enable Pixnapping. The company is said to be working on a fix.

Furthermore, the study found that as a consequence of this behavior, it's possible for an attacker to determine if an arbitrary app is installed on the device, bypassing restrictions implemented since Android 11 that prevent querying the list of all installed apps on a user's device. The app list bypass remains unpatched, with Google marking it as "won't fix."

"Like browsers at the beginning, the intentionally collaborative and multi-actor design of mobile app layering makes the obvious restrictions unappealing," the researchers concluded.

"App layering is not going away, and layered apps would be useless with a no-third-party-cookies style of restriction. A realistic response is making the new attacks as unappealing as the old ones: allow sensitive apps to opt out and restrict the attacker's measurement capabilities so that any proof-of-concept stays just that."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

New Pixnapping Android Flaw Lets Rogue Apps Steal 2FA Codes Without Permissions

Astaroth banking trojan has evolved to use GitHub and steganography for resilient C2, hiding its vital commands in images. Learn how this sophisticated malware employs fileless techniques to steal banking and crypto credentials from users across Latin America.

A new report from McAfee Labs reveals that a dangerous banking trojan, Astaroth, is being distributed with a worrying new trick to stay active- abusing the software development platform GitHub as a secret backup location.

****An Unexpected New Hiding Place****

Written in Delphi, Astaroth is a banking trojan designed to silently steal login details and passwords using keylogging when a victim accesses banking or cryptocurrency accounts. Normally, these cybercriminals rely on central C2 (command-and-control) servers that security experts can find and disable.

However, the McAfee Threat Research team discovered that Astaroth is storing its vital setup files on GitHub. This means, if the main C2 server is shut down by law enforcement or security experts, Astaroth simply gets new instructions from the GitHub repository, which hosts the information hidden in images using steganography, and continues its operations. Once credentials are stolen, the malware uses the tool Ngrok to secretly exfiltrate the data back to the attackers.

****How the Attack Starts****

The attack usually begins with a phishing email (pretending to be a document or resume) that contains a link. This link downloads a zipped file with a malicious Windows shortcut (.lnk) file.

Astaroth C2 Infrastructure, Phishing Email and Attack Flow (source: McAfee)

Opening this shortcut triggers a complex, multi-stage infection chain that eventually installs Astaroth by abusing legitimate Windows system files, a technique known as living off the land. The .lnk file executes a hidden script using mshta.exe (a Microsoft HTML Application host) to get additional code.

The final malicious payload is then secretly injected into the legitimate Windows process regsvc.exe (Remote Registry Service) to run undetected. The Astaroth malware also employs various anti-analysis techniques, including monitoring and targeting popular web browsers (programs with a window class name containing chrome, ieframe, mozilla, or xoff).

Astaroth targets financial institutions across a wide region, including Brazil (where the current campaign is focused), Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, Panama, Portugal, and Italy.

Targeted Brazilian financial institutions include sites like caixa.gov.br, safra.com.br, itau.com.br, bancooriginal.com.br, santandernet.com.br, and btgpactual.com. It also targets cryptocurrency-related sites such as etherscan.io, binance.com, bitcointrade.com.br, and localbitcoins.com.

Moreover, the malware instantly shuts down if it detects that it is being analysed by security researchers. McAfee Labs reported its findings to GitHub, after which the malicious files were taken down, temporarily disrupting this latest activity.

This latest development confirms Astaroth remains one of the most sophisticated online threats and follows previous warnings from security experts. In February 2025, Hackread.com reported on an advanced Astaroth phishing kit discovered by SlashNext that used an “evilginx-style reverse proxy” to easily bypass two-factor authentication (2FA) and steal credentials and session cookies in real time.

The current banking trojan variant primarily relies on keylogging after infection and may not actively bypass 2FA during login. Nevertheless, to protect yourself, the most critical step is to never open links or attachments in emails from unknown senders.

_“_The threat landscape is surging, in particular the mobile threat landscape, as in 2024, more than 4 million social engineering attacks targeted mobile devices, over 33 million mobile malware/adware incidents were blocked, and phishing attacks rose significantly, especially on iOS,_“_ said Randolph Barr, Chief Information Security Officer at Cequence Security.

_“_Android continues to face banking Trojans and data-leaking SDKs, while insecure app practices plague both platforms. Most of these attacks are aimed at PII, credentials, and financial data,_“_ Barr cautioned.

_“_Employers and service providers add a third risk layer. Each validation request is a new integration point, creating an additional attack surface. Bad actors could compromise employer systems, abuse verification APIs, or phish organizations into over-collecting and mishandling sensitive data. Since employers often lack the same level of cybersecurity maturity as, say, government systems, they may become the weakest link in the chain,_“_ he warned.

Astaroth Trojan Uses GitHub Images to Stay Active After Takedowns

Every week, the cyber world reminds us that silence doesn’t mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done.
This week’s edition looks at how attackers are changing the game — linking different flaws, working together across borders, and even turning trusted tools into weapons.

⚡ Weekly Recap: WhatsApp Worm, Critical CVEs, Oracle 0-Day, Ransomware Cartel & More

A list of topics we covered in the week of October 6 to October 12 of 2025

October 10, 2025 - The more sensitive data that companies have to collect and store, the greater the consequences for users if it’s breached.

October 10, 2025 - It’s once again time to change your passwords, but if one government agency has its way, this might be the very last time you do it.

October 10, 2025 - Two AI "girlfriend" apps have blabbed millions of intimate conversations from more than 400,000 users.

October 9, 2025 - Mobdro Pro IP TV + VPN hides Klopatra, a new Android Trojan that lets attackers steal banking credentials.

October 9, 2025 - California just passed 14 new privacy and AI laws. We’re highlighting a few that give users real control over their personal data.

 A week in security (October 6 &#8211; October 12) 

Fortinet warns of Stealit, a MaaS infostealer, now targeting Windows systems and evading detection by using Node.js’s SEA feature while hiding in fake game and VPN installers.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have issued a warning about an active MaaS (malware-as-a-service) operation distributing a dangerous data-stealing malware called Stealit.

This malicious program is designed to take over a victim’s computer and steal private information. The campaign is current, actively targeting Microsoft Windows users across all organisations, and has been classified with a Medium severity level.

Stealit Homepage (Source: Fortinet)

****A New Way to Hide****

The advanced tactics employed by the Stealit campaign show the malware is now using a highly deceptive new method to bypass security measures.

FortiGuard Labs’ investigation revealed that the campaign is leveraging a feature in the Node.js development platform called Single Executable Application (SEA). This is a crucial detail, as older versions of the malware used a different tool named Electron. The purpose of this change is to make the malware harder to spot and block.

The new SEA approach packs all the necessary malicious files into one simple program. This means the program can run even on a computer that does not have the Node.js software installed. The researchers explained that this allows the malware to run “without requiring a pre-installed Node.js runtime or additional dependencies.”

Threat actors are likely taking advantage of the SEA feature’s novelty, hoping to catch security programs and analysts off guard. The malware is further protected by heavy code obfuscation and numerous anti-analysis checks designed to detect and terminate execution if it detects a debugger, a virtual environment, or suspicious processes.

****A Professional Cybercrime Service****

Stealit operators are running this as a full commercial service, advertising “professional data extraction solutions” through various subscription plans. They have relocated their Command-and-Control (C2) server multiple times, switching from the domain stealituptaded.lol to iloveanimals.shop. Moreover, they offer clear pricing for lifetime access: around $500 for the Windows version and $2,000 for the Android version.

Malware’s Subscription Pricing (Source: Fortinet)

The malware’s USP is its extensive list of remote access capabilities, including:

*   File extraction

*   Ransomware deployment

*   Live screen monitoring and webcam control

*   Remote system management (shutdown/restart)

*   The ability to push fake alert messages to the victim.

****What’s At Risk****

According to FortiGuard Labs’ blog post shared with Hackread.com ahead of publishing on Friday, Stealit operators are distributing the malware by hiding it as installers for popular games and VPN applications. They upload these files (packaged in common compressed archives or as PyInstaller) to file-sharing sites such as Mediafire and Discord.

When successfully installed, the malicious program extracts a wide range of information, including sensitive data like login credentials and cryptocurrency wallets from various applications, which can then be used in future attacks.

The researchers noted that the malware’s authors quickly shift tactics, sometimes reverting to the older Electron framework for payload delivery to keep security teams guessing.

This campaign highlights how quickly threat actors adapt by weaponising legitimate software features, like Node.js SEA, to remain undetected. With the malware being distributed via lures like games and VPNs, users must exercise extreme caution with software downloads from unofficial sources.

_“_This is great research tracking the evolution of a focused campaign,_“_ said Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity.

_“_The targeted user population is what’s most interesting to me – gamers generally have high-performance hardware, and are accustomed to running all kinds of random software in support of their gaming, and the gaming ecosystem is a mess of binaries and network connections BEFORE you start adding in helpers, performance mods, and cheating resources_,”_ Ford explained.

Ford warned that when IT professionals use the same devices or networks for both gaming and work, it creates a vulnerable environment that attackers could exploit for coordinated cyber operations.

_“_There is a large population of privileged IT workers that are avid gamers (many moved into IT thanks to a passion for gaming) – meaning hardware used for work and play, lateral network access to their laptop, and extortionary material on those users are all levers to be used for coordinated adversarial development._“_

Tag

#android