Over the past few years, Google has got much better at providing regular security updates to its Pixel phones, and other Android manufacturers including Samsung have also improved the length of time devices get updates for after release.

Despite the more frequent fixes going out to phones when bugs are found, it doesn’t stop criminals from exploiting flaws in Android to find new ways to hack phones and steal your personal data.

A new type of attack targeting Android phones has been discovered which can allegedly steal information from your phone such as two-factor authentication codes and your location records, all in less than 30 seconds.

Researchers from the University of California who discovered this call it ‘pixnapping’, because the attack, via a malicious Android app, kidnaps pixels from your screen, essentially meaning someone can see what is on your screen.

“Pixnapping is a new class of attacks that allows a malicious Android app to stealthily leak information displayed by other Android apps or arbitrary websites,” they said. “Pixnapping exploits Android APIs and a hardware side channel that affects nearly all modern Android devices.”

The researchers said they have seen the attacks happen on Google Pixel and Samsung Galaxy phones, with data being able to be scraped (without the user realising) from apps such as Gmail and even private messaging app Signal. The specific phones were the Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and Samsung Galaxy S25, but this doesn’t exclude other phones from being vulnerable.

“Notably, our attack against Google Authenticator allows any malicious app to steal 2FA codes in under 30 seconds while hiding the attack from the user,” they said, indicating attackers could steal the very two-factor authentication codes designed to stop people from being able to get into your personal accounts even if they know the username and password.

The attack works when an unsuspecting user downloads a malicious app. From there, a sneaky API lets attackers know when you’re doing something sensitive they may want to view. This is then displayed without any obstructions for the attacker to see.

As this is based on research, it’s not known if any such apps are out in the wild and being exploited. Instead, this sort of warning is published to inform users and so that Google might quickly fix the potential flaw in Android before criminals exploit it.

“Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping,” the researchers said. “Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible.”

They said the best way to protect yourself from this and any potential attack is to “install Android patches as soon as they become available.”

The good news is this type of attack would only work if you were tricked into downloading a malicious app in the first place. This would be highly unlikely to happen if you stick to downloading only verified apps from the Google Play Store. But the discovery of such a backdoor into Android is worrying, so it’s best not to sideload any apps and to install system software updates when they become available.