What happened: Security researchers have revived a 12-year-old browser-based data theft technique to target Android devices, creating a powerful new attack called Pixnapping.
- The method allows a malicious Android app to steal data displayed on other apps or websites — including sensitive information from Google Maps, Gmail, Signal, Venmo, and even 2FA codes from Google Authenticator — without requiring special permissions.
- Pixnapping works by exploiting a hardware side channel (GPU.zip) to read screen pixel data through rendering time measurements. By overlaying transparent activities and timing how quickly pixels render, attackers can reconstruct screen content pixel by pixel. Although the technique only leaks 0.6 to 2.1 pixels per second, it’s enough to recover sensitive data like authentication codes.
- The vulnerability, CVE-2025-48561, affects devices running Android 13 through 16 (including Pixel 6–9 and Galaxy S25). A partial patch was issued in September 2025, with a more comprehensive fix expected in December.
Clker-Free-Vector-Images / PixabayWhy is this important: Pixnapping exposes a fundamental flaw in Android’s rendering and GPU architecture, demonstrating that even long-resolved attacks can resurface in new forms.
- Because it doesn’t require special permissions, a seemingly harmless app downloaded from the Google Play Store could secretly spy on sensitive on-screen data.
- The attack also highlights a broader problem with side-channel vulnerabilities — leaks caused not by software bugs but by how hardware processes data.
- These are notoriously difficult to detect and fix, posing ongoing challenges for mobile security.
Tushar Mehta / Digital TrendsWhy should I care: If you use Android, this research underscores the potential for covert data theft without any user action or warning.
- Apps could silently harvest sensitive details like banking information, 2FA codes, or location data simply by observing your screen activity.
- Even though Google says there’s no evidence of exploitation, the mere existence of this attack shows that malware could bypass traditional security defenses.
What’s next: Google is rolling out further fixes to limit abuse of the blur API and improve detection. However, researchers warn that workarounds already exist, and the underlying GPU.zip vulnerability remains unresolved. Until a permanent solution is found, users should limit installing untrusted apps and keep devices updated. Security experts also expect more side-channel attacks like Pixnapping to emerge as attackers refine these sophisticated techniques.
This app put iMessage on my Android phone — and it blew me away
The impossible has happened. Beeper set out to unify chat platforms into a single bundle, but has ended up solving the iMessage-on-Android conundrum in a terrific fashion. In fact, it has even fixed the revolting green/blue bubble problem in one fell swoop.
Say hello to Beeper Mini, an app that puts iMessage on your Android phone and also kills the green bubble for good. And it doesn’t sacrifice functionality either. All that happened without a shady hack, something that Sunbird or Nothing Chats couldn’t pull off.
One of our favorite Android phones just got its own iMessage app
Nothing is trying to bridge the great blue/green bubble divide for Android users of iMessage. This is not a personal crusade to shatter walls and open windows, as much as Nothing CEO Carl Pei would want you to believe that. Instead, Nothing is piggybacking on tech created by New York-based startup Sunbird.
Technically, the Sunbird app can be installed on any Android phone and it features a blue bubble for all iMessage text exchanges involving an Android phone. No more green bubble shame that could get you kicked out of groups for disrupting the harmony or even slim your dating chances. That’s how bad it is!
Nothing is adopting the Sunbird tech and bundling it as its very own app under the name Nothing Chats. But here’s the fun part. The app only works on the Nothing Phone 2 and not the Nothing Phone 1. And this life-altering boon will only be bestowed upon users in the U.S., Canada, the U.K., or the EU bloc.
The app is currently in the beta phase, which means some iMessage features will be broken or absent. Once the app is downloaded on your Nothing Phone 2, you can create a new account or sign up with your Apple ID to get going with blue bubble texts.
Just in case you’re concerned, all messages will be end-to-end encrypted, and the app doesn’t collect any personal information, such as the users’ geographic location or the texts exchanged. Right now, Sunbird and Nothing have not detailed the iMessage features and those that are broken.
We made iMessage for Android...
The Washington Post tried an early version of the Nothing Chats app and notes that the blue bubble system works just fine. Texts between an Android device and an iPhone are neatly arranged in a thread, and multimedia exchange is also allowed at full quality.
However, message editing is apparently not available, and a double-tap gesture for responding with a quick emoji doesn’t work either. We don’t know when these features will be added. Nothing's Sunbird-based app will expand to other territories soon.
Sunbird, however, offers a handful of other tricks aside from serving the iMessage blue bubble on Android. It also brings all your other messaging apps, such as WhatsApp and Instagram, in one place. This isn’t an original formula, as Beeper offers the same convenience.
These Android apps are spying on you — and there’s no easy way to stop them
Android’s security woes need no introduction, but another threat that hasn’t received its fair share of awareness relates to spyware and stalkerware apps. These apps can secretly be installed on a victim’s phone to monitor their activity and can be exploited to harass victims of domestic abuse and engage in online stalking. All someone needs is physical access to the victim's phone to install these apps, which is not too difficult in cases of domestic abuse.
Call it an app-fueled version of AirTag stalking, but on steroids, because these spyware apps can steal everything including messages, call logs, emails, photos, and videos. Some can even activate the microphone and the camera, and secretly transfer these recordings to a remote server where the abuser can access it. Since Google Play's policies don't allow stalking apps, these apps are sold via third-party websites and need to be sideloaded.
