Hackers can steal 2FA codes and private messages from Android phones

A new attack called Pixnapping can steal 2FA codes, private messages, and other data from Android devices within 30 seconds. The attack requires a victim to install a malicious app that can read data displayed on the screen without system permissions. Google Pixel and Samsung Galaxy S25 phones have been demonstrated to be vulnerable, with potential for other models. Google released mitigations, but a modified version of the attack can still work even with the update installed. Pixnapping works by manipulating pixels on the screen to extract sensitive information from targeted apps.