- cross-posted to:
- technology@beehaw.org
- cross-posted to:
- technology@beehaw.org
You must log in or # to comment.
requires a victim to first install a malicious app
Let me stop you right there… and leave.
Having cleaned a bunch of old folks phones in the past years this is far more common than we ”advanced” users think. It often starts with clicking an advert or some spam mail or message from (infected) friend, which to them, looks absolutely legit. Then the installed app spams the user with notifications to install more ”PDF readers”, ”phone cleanup apps” and whatnot. In best case these just flood the user with ads but just as easily can do more malicious stuff.
After some schooling (”never click anything that is offered to you” etc.) and putting up defencew like AdGuard (system level) the instances of ”my phone is slow”, ”what does this message mean” etc. have radically decreased. Apple devices have their own issues but this kind of troubles are next to non-existent there.
"Our end-to-end attacks simply measure the rendering time per frame of the graphical operations… to determine whether the pixel was white or non-white.”
This is a prime example of something that is so simple, yet elegant, and brilliant. Fantastically cool and scary.
Reminds me how in the early days the secret keys inside the smartchips in things like bank cards could be extracted by measuring the power consumption when the smartchips were doing things like signing data using those keys.
The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.
This is a very big hypothetical.
They’d need to already have access to your account credentials (email, password or at least something that is regarded the same) then have you install this malicious app, then you’d need this app to be open at the same time as your 2FA app
It’s possible, yes, it’s an awesome find, yes, and this should be patches, yes yes yes, a thousand yes
Having said that, I’m not too worried about the potential impact of this, it’ll be fine.
Duh, they’re hackers /s
Dont install random shit and if possible have a phone just for 2fa
It doesn’t require any permissions. It could literally be in any app or even a demo
Yes that’s why you verify the safety and security of the apps you’re installing on your phone and don’t just go, “ooo, this looks cool, let’s download it and try it out”. This is especially true if you are installing FOSS apps.
This is especially true if you are installing apps from the play store.
fixed that small mistake
How do you do that if it’s on a “trusted” platform. It requires no special permissions.
What “trusted” platform? Google play store? Their rules are lax as all fuck. And if you download an app from a reputable company and it has malware in it you have the Better Business Bureau to turn to. Otherwise buyer beware, scammers exist.
Gotta wonder why random apps don’t need special permissions to run and operate other apps. You can cause plenty of trouble maliciously navigating a browser even if you can’t see the screen.
Sandboxing by default and preventing Google and others from spying in and manipulating apps are good steps phone OS developers should use, but I don’t think those kind of things would help for this particular case.
Use open source apps and everything to be protected. Gotcha
The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.
deleted by creator
It has to be tailored to the specific hardware so I don’t think it’s a major concern for most users. It doesn’t seem like something that can be fully mitigated either, so it’s probably not worth worrying about. Side channel attacks are really cool but also kind of useless in most practical scenarios.
