Android security flaw lets hackers steal 2FA codes and chats

Watch Android security flaw lets hackers steal 2FA codes and chats - Rizzle on Dailymotion

Transcript

00:00Android security flaw lets hackers steal two-factor authentication codes and chats.

00:06Android phones have a new kind of heartburn.

00:08An academic team has revealed a cheeky new attack called pick snapping.

00:12This hack can nick whatever's visible on your screen,

00:15think two-factor codes, chat threads, or location timelines, in under 30 seconds.

00:21The setup is like low-effort sorcery.

00:23A harmless app nudges a target app to display secret content,

00:26probing pixels to see if they are lit.

00:28This allows reassembling data without screenshots.

00:32Researchers tested it on Google Pixel and Samsung's Galaxy S25.

00:36Pick snapping exploits a timing side channel, akin to the GPU.zip web attacks,

00:42where timing differences reveal graphic rendering duration.

00:45Transparent overlays and frame render timings help infer pixel colors.

00:50The attack unfolds in three stages, invoking the rendering of sensitive data,

00:54overlaying and probing specific pixels, then timing and reconstructing readable characters.

01:00It's slow and fiddly, which matters.

01:03Two FA codes are only valid for 30 seconds, so timing is everything.

01:08The team succeeded on pixels in under 30 seconds, while S25 results varied.

01:12Google issued a September patch, but hasn't seen active attacks.

01:16It's both an applause line for researchers and a reminder.

01:20Users should be cautious about unknown apps,

01:23and developers should consider stricter rendering isolation and timing mitigations.

01:27Let's go ahead and look ahead and see you guys and characters