- cross-posted to:
- android@lemdro.id
- cross-posted to:
- android@lemdro.id
You must log in or register to comment.
requires a victim to first install a malicious app
Let me stop you right there… and leave.
Normally I would agree with this perspective, but in this case the “malicious app” is just a demo. It requires no permissions to do the malicious behavior, which means that the relevant code could be included in any app and wouldn’t trigger a user approval, a permissions request or a security alert. This could be hiding in anything that you install.
"Our end-to-end attacks simply measure the rendering time per frame of the graphical operations… to determine whether the pixel was white or non-white.”
This is a prime example of something that is so simple, yet elegant, and brilliant. Fantastically cool and scary.
Even if this particular attack is against Android phones, it should be noted that iPhones have their own security issues.
Stay safe out there, regardless of what type of phone you use.
Edit: lol, looks like I ruffled some feathers, with a few people really going the extra mile to take the wrong message from it
Lawl “exploit developed for android phones”
You: UK AKSHULLY IPHONES AREN’T SECURE THOUGH
Alternately: I was mentioning this to pre-empt anyone marching in here and puffing up about iPhone. Or thinking that they don’t need to worry about security issues.
Of course you know and understand the intent of my comment. Your bad-faith response fails to impress.
Permissions, when built-in to the operating system from conception, are much more effective than when they’re half-heartedly tacked on decades later, which is why these issues keep coming up on Android but not on iOS
The difference isn’t actually in the operating system. iOS is just as vulnerable to such things. The difference is in how the app store is run. Apple locks down there app store so that it’s much more difficult to get malicious apps added. Google is extremely less thorough. Which is one of the reason many of us choose Android. When you choose more freedom the price is more vigilance is necessary to secure yourself and your phone.
This is a very big hypothetical.
They’d need to already have access to your account credentials (email, password or at least something that is regarded the same) then have you install this malicious app, then you’d need this app to be open at the same time as your 2FA app
It’s possible, yes, it’s an awesome find, yes, and this should be patches, yes yes yes, a thousand yes
Having said that, I’m not too worried about the potential impact of this, it’ll be fine.
Use open source apps and everything to be protected. Gotcha
The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.
Dont install random shit and if possible have a phone just for 2fa
It doesn’t require any permissions. It could literally be in any app or even a demo
Yes that’s why you verify the safety and security of the apps you’re installing on your phone and don’t just go, “ooo, this looks cool, let’s download it and try it out”. This is especially true if you are installing FOSS apps.
