Warning to Android Crypto Users: New ‘Pixnapping’ Attack Can Steal Seed Phrases Directly From Your Screen

Cybersecurity researchers at Carnegie Mellon University have identified a new Android vulnerability that could allow hackers to steal sensitive on-screen data, including crypto wallet seed phrases and two-factor authentication (2FA) codes, without special ￰1￱ attack, named Pixnapping , targets devices from Google and Samsung and uses a previously known GPU side-channel technique called ￰2￱ attack begins when a user installs a malicious app, which then silently invokes another application, such as a crypto wallet or authentication app, from which it intends to extract data.) Pixnapping is not fixed and probably affects all Androids. PoC: Not available ￰3￱ 2FA codes ￰4￱ — Mobile Hacker (@androidmalware2) October 14, 2025 On average, the attack retrieved a full six-digit code in under 30 seconds, fast enough to exploit the brief validity period of most 2FA ￰5￱ team noted that while recovering long recovery phrases would take more time, crypto seed phrases remain highly vulnerable if left visible while being written ￰6￱ these phrases stay on the screen longer than time-sensitive codes, attackers could potentially reconstruct them pixel by pixel if users are not ￰7￱ vulnerability, tracked as CVE-2025-48561, was reported to Google in February 2025.

A partial patch was issued with September’s Android security update, but the researchers said they found a workaround that allows the attack to continue ￰8￱ has since acknowledged the issue as high severity and confirmed that a second fix is being developed, expected in ￰9￱ their tests, the researchers were able to extract sensitive data not only from crypto wallets and Google Authenticator but also from applications like Gmail, Signal, Venmo, and Google ￰10￱ the exploit targets visible screen content rather than stored files or permissions, even strict app isolation measures fail to block ￰11￱ to the researchers, Google initially attempted to mitigate the flaw by limiting how many activities an app can blur simultaneously, but this proved ￰12￱ have also alerted Samsung that the patch does not protect its ￰13￱ can steal 2FA codes and private messages from Android phones!

Researchers discovered a new Android side-channel that defeats app ￰14￱ installing a malicious app, an attacker can directly see what other apps display, for instance 2FA codes or Seed phrases! The… — Vladimir S. | Officer's Notes (@officer_cia) October 14, 2025 Security experts advise crypto users to avoid displaying recovery phrases or 2FA codes on internet-connected devices. Instead, they recommend using hardware wallets, which store private keys and recovery phrases offline, preventing exposure through screen-based attacks like ￰15￱ Investors Face Rising Android Malware Threats A surge in Android-based crypto malware has intensified global cybersecurity concerns, with several major incidents surfacing over recent ￰16￱ April, researchers uncovered “Crocodilus,” a remote-access trojan targeting crypto wallet users in Turkey and ￰17￱ by ThreatFabric, the malware disguises itself as legitimate crypto apps, tricking victims into revealing their seed phrases through fake security ￰18￱ installed, it abuses Android’s Accessibility Services to steal passwords, intercept two-factor codes, and capture wallet credentials, all while masking activity behind a black-screen ￰19￱ experts say Crocodilus spreads through multiple channels, including phishing emails, compromised websites, and malicious ads, making it difficult to trace the original ￰20￱ discovery follows reports of broader malware campaigns tied to fake AI, gaming, and Web3 ￰21￱ have deployed crypto-stealing malware by impersonating AI and Web3 startups, leveraging fake profiles and websites to target users globally. #Cryptomalware #CryptoScams ￰0￱ — ￰22￱ (@cryptonews) July 11, 2025 According to cybersecurity firm Darktrace, attackers have built convincing online presences, complete with fake company websites, social profiles, and GitHub repositories, to lure users into downloading infected ￰23￱ campaigns use malware families such as Realst and Atomic Stealer, capable of exfiltrating wallet data on both Windows and ￰24￱ warn that these scams represent a growing sophistication in crypto-focused attacks, combining social engineering with advanced obfuscation and persistent execution ￰25￱ experts advise users to verify project legitimacy, avoid downloading software from unverified sources, and remain cautious of unsolicited offers or airdrops, especially those linked to new “startups” or crypto platforms promising exclusive access or rewards.