Overview
- An academic team showed that a malicious app can infer pixels via Android intents, semi‑transparent overlays, the window blur API, and a GPU timing leak, without requesting special permissions.
- Tests on Google Pixel 6–9 and Samsung Galaxy S25 running Android 13–16 recovered six‑digit Google Authenticator codes in under 30 seconds in many trials.
- The technique also pulled data from apps and sites including Signal, Gmail, Venmo, and Google Maps, though larger regions leak slowly at roughly 0.6–2.1 pixels per second.
- Google assigned CVE‑2025‑48561, says it has seen no in‑the‑wild exploitation or Play Store abuse, and plans a fuller December patch after the September mitigation was circumvented.
- Researchers reported an installed‑apps discovery bypass using intents that Google marked as "won’t fix," and GPU.zip hardware side‑channels used by the attack have no vendor remediation yet.