We thought two-step authentication apps were secure. Researchers have shown how easy it is to hack them

The two-step verification With authentication apps it is one of the safest methods to protect our accounts, or so we thought. They count in Ars Technica that a group of researchers from several American universities have discovered a new type of attack on Android that is capable of copying these codes in less than 30 seconds, which is precisely the time it takes to refresh.

Pixnapping. It is the name of this new attack capable of stealing two-step authentication codes from apps such as Google Authenticator or Microsoft Authenticator. These apps show codes that are automatically refreshed every 30 seconds, so it is more secure than, for example, SMS verification, which usually gives a margin of 10 or 15 minutes to copy the code. With this technique, researchers have managed to crack the six-digit code in just 23 seconds, which leaves plenty of time to use the code and log in to the account they want to steal.

How it works. Any app on Android can launch a pixnapping attack without needing to obtain special permissions. Once underway, the attack occurs in three steps:

• The malicious app uses Android APIs to communicate with the app it wants to spy on. These calls force the target app to display specific data (the authentication codes) and send this information to the Android rendering pipeline, which is responsible for displaying each app’s pixels on the screen.
• Pixnapping performs graphical operations on the pixels that have been received by the rendering pipeline. Identify the coordinates of each pixel of interest and check if the color is white or non-white.
• White pixels take less time to render than non-white pixels. By measuring time, pixnapping is able to reconstruct images from the render pipeline data.

Speed ​​is key. Pixnapping can also obtain other types of information that is visible on the screen, such as account numbers or personal information, but the speed with which it runs makes it especially dangerous for these authentication apps. To achieve this, the researchers reduced the number of samples per pixel, so that they could decipher all six digits in 30 seconds.

Which phones does it affect? As we said, pixnapping only affects the Android operating system, but it seems to extend to quite a few versions. The investigation verified that the attack could be carried out on devices with versions from Android 13 to Android 16. They have only reproduced it on Pixel phones and a Samsung Galaxy S25, but they believe that due to the mechanism of the attack, any Android will be affected.

How to protect yourself. Waiting for now. Google has already released a patch does little to mitigate this attack, but they have found that there are ways to bypass it. In statements to The RegisterGoogle confirmed that they would release a second patch in December to put an end to it. The good news is that they say they have no evidence that there are apps taking advantage of this vulnerability.

Image | Pixnapping

In Xataka | One click and goodbye to our passwords. This is the vulnerability that affects the extensions of several managers