- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.
Except you have to grant permission to install it, thats a pretty big one, especially for average users who dont have Sideloading enabled
I doubt Google actually reviews each app submitted line by line of code. So a malicious developer can theoretically sneak it in one popular app via play store updates.
Good thing the point of 2FA is the 2 factor part so this only compromises one of the two, without some very coordinated attack it’s still quite hard to gain access to your accounts.
Hardware key is the way. Like a Yubikey
Code is generated on another device by using the encryption stored on the hardware key.
Since this app can read screen, you need a non network connected device to act as the key displayer.