- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.
Okay, that’s not so bad
Holy fuck, how the fuck does this even happen? No permission but still read screen data? That’s a horrible flaw. Does google intentionally do this so they can read all user activity ever? And even their fixes are flawed? Fuck
Google has actually done quite a bit of work to guard against this sort of thing in a general sense:
https://source.android.com/docs/core/virtualization/architecture
It effectively isolates every page of data for an application from other applications and even from the OS itself by using hardware virtualization support on ARM
But things like video frame buffers are shared resources that can’t be easily isolated on this way and that seems to be the attack vector in this case. That not to say this isn’t a failure on Google’s part to not catch this, but they aren’t the bad guys in this case and seem to be trying to address it
https://f-droid.org/packages/io.nandandesai.privacybreacher
It hasn’t been updated in five years. I’m not sure of the current state of things in Android, but apps used to be able to access all kinds of personal data with zero permissions: listing all installed apps, access to sensors/accelerometers, battery level, when charger/headphones were last plugged or unplugged.
screen capture is an entirely different thing though, and that was not available without permissions for a very long time
This is true. Non-Google apps trying to read your screen had to convince users to enable Accessibility permission.
This headline is a bit click baity
It is bad but because it is a side channel attack it very hard to pull off. You need the starts to align and for the user to stay on the same screen for a long time for it to actually be exploited.
Bugs happen. You act like there has never been a serious FoSS vulnerability.
They are working with the researchers and addressing it 🤷♂️.
google wants all your data, so it make sense theres this vulnerability, remember the android core spy app they tried to secretely install to peoples phones.
Googles Apps run with what are basically root permissions. They don’t need to design the permissions in such a way to get access, they can just do what they want
That’s why I put GrapheneOS on my phone. It sandboxes apps and you can grant specific containerized storage spaces aaccesa per app.
But screen reading OOF, I thought that would have needed screen overlay permissions.
If only they would support more devices. Maybe they will broaden their lineup now that Google has basically curb stomped them
I don’t think the screen overlay permission gives access for screen captureI was wrong. but this article seems to imply that it’s screen overlay permission is what is needed for this to work.
“tried” why, do you think they failed?