- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.
Google has actually done quite a bit of work to guard against this sort of thing in a general sense:
https://source.android.com/docs/core/virtualization/architecture
It effectively isolates every page of data for an application from other applications and even from the OS itself by using hardware virtualization support on ARM
But things like video frame buffers are shared resources that can’t be easily isolated on this way and that seems to be the attack vector in this case. That not to say this isn’t a failure on Google’s part to not catch this, but they aren’t the bad guys in this case and seem to be trying to address it