Analysis

Researchers have identified "Pixnapping," a novel side-channel attack capable of covertly stealing sensitive data, including two-factor authentication codes and Google Maps timelines, from Android devices. This vulnerability, affecting Google and Samsung models running Android 13-16, leverages Android APIs and the GPU.zip hardware side-channel to allow malicious apps to capture 2FA codes in under 30 seconds without requiring special permissions. The underlying methodology is present across all Android devices, posing a broad platform risk. Google has acknowledged the issue, tracking it as CVE-2025-48561 with a CVSS score of 5.5, and released patches in its September 2025 Android Security Bulletin. However, a workaround has already emerged, re-enabling Pixnapping, which Google is reportedly addressing. More critically, a related app list bypass vulnerability, which circumvents Android 11 restrictions on querying installed apps, remains unpatched and has been marked "won't fix" by Google. This persistent security flaw, particularly the "won't fix" stance on the app list bypass, contributes to an "extremely negative" sentiment (-0.8) surrounding Google's platform security and carries a significant market impact score of 0.7. The ease with which any app can exploit Pixnapping, once installed, underscores potential risks to user data privacy and trust in the Android ecosystem, impacting GOOG/GOOGL's brand and long-term platform integrity.