Malicious app required to make “Pixnapping” attack work requires no permissions.

The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.

  • MaggiWuerze@feddit.orgEnglish
    15·
    1 day ago

    Googles Apps run with what are basically root permissions. They don’t need to design the permissions in such a way to get access, they can just do what they want

    • BCsven@lemmy.caEnglish
      4·
      23 hours ago

      That’s why I put GrapheneOS on my phone. It sandboxes apps and you can grant specific containerized storage spaces aaccesa per app.

      But screen reading OOF, I thought that would have needed screen overlay permissions.

      • MaggiWuerze@feddit.orgEnglish
        2·
        21 hours ago

        If only they would support more devices. Maybe they will broaden their lineup now that Google has basically curb stomped them

      • ReversalHatchery@beehaw.orgEnglish
        1·
        19 hours ago

        I don’t think the screen overlay permission gives access for screen capture

        I was wrong. but this article seems to imply that it’s screen overlay permission is what is needed for this to work.