New Android Exploit ‘Pixnapping’ Could Expose Crypto Wallet Seed Phrases

Cybersecurity researchers have uncovered a dangerous new Android vulnerability, dubbed “Pixnapping,” that could allow malicious apps to secretly steal what’s being shown on your phone screen — including crypto wallet recovery phrases, two-factor authentication (2FA) codes, and other sensitive information.

According to a newly published research paper, Pixnapping bypasses Android’s usual security protections and can even extract data from non-browser apps. The exploit doesn’t take screenshots or directly record what’s on your screen — instead, it uses a clever visual trick to rebuild what you’re seeing, one pixel at a time.

First, the attacker’s app quietly places several semi-transparent overlays on top of other apps, leaving only a single pixel area exposed. By changing the colors and transparency of these overlays and carefully timing how that pixel reacts, the malicious app can “read” the color information coming from beneath it.

By repeating this process across many pixels and frames, it gradually reconstructs the full image of what’s displayed on the screen — including text, numbers, and even crypto seed phrases.

Although this process takes time, making it less effective for fast-changing screens, it can be highly dangerous when targeting information that stays visible for several seconds — such as a wallet recovery phrase or a 2FA code being copied down.

Crypto Seed Phrases at Risk

Seed phrases — the unique words that provide full access to a user’s cryptocurrency wallet — are especially at risk. Many users display these phrases for long enough to copy them manually, creating a window of opportunity for the attack to capture them.

In lab tests, researchers demonstrated that Pixnapping could successfully recover 6-digit 2FA codes from Google Pixel phones in a majority of trials. The attack achieved success rates of 73% on the Pixel 6, 53% on the Pixel 7, 29% on the Pixel 8, and 53% on the Pixel 9, with an average recovery time between 14 and 25 seconds.

While reconstructing a full 12-word recovery phrase would take longer, the attack remains feasible if the phrase remains visible for too long — particularly on high-resolution displays.

Researchers tested the exploit across Android versions 13 through 16 on devices including Google’s Pixel 6–9 and Samsung’s Galaxy S25. Because the exploited Android APIs are widely available, the vulnerability may affect other devices as well.

Google initially attempted to patch the flaw by limiting how many overlay layers an app could blur simultaneously. However, the research team quickly found a workaround that kept the attack viable. The paper noted

“As of October 13, we are still coordinating with Google and Samsung regarding disclosure timelines and mitigations.”

Google has rated the vulnerability as high severity and granted the researchers a bug bounty reward. The team also informed Samsung that Google’s initial patch failed to fully protect Galaxy devices.

Hardware Wallets Still the Safest Bet

Experts strongly advise against displaying seed phrases or private keys on Android devices — or any internet-connected device. The safest approach is to store and manage keys using a hardware wallet, which keeps private data completely offline and never exposes it to potentially compromised apps or browsers.

A hardware wallet acts as an isolated security device, signing transactions independently without ever revealing sensitive information to your phone or computer. As cybersecurity researcher Vladimir S put it bluntly on X:

“Simply don’t use your phone to secure your crypto. Use a hardware wallet!”

The discovery of Pixnapping is a sobering reminder that even modern smartphones are not immune to creative new exploits. For crypto holders, it reinforces a familiar truth: true security still lies in caution, isolation, and cold storage.