新的Android缺陷让恶意应用程序通过GPU计时攻击盗取2FA代码和信息, A new Android flaw lets malicious apps steal 2FA codes and messages via GPU timing attacks, affecting most devices despite a partial fix.

一个新发现的安卓漏洞叫做"Pixnapping", 追踪为CVE-2025-48561, 允许恶意应用窃取敏感的屏幕数据, A newly discovered Android vulnerability called "Pixnapping," tracked as CVE-2025-48561, allows malicious apps to steal sensitive on-screen data like two-factor authentication codes and private messages using a side-channel attack that exploits GPU timing. 来自加州大学伯克利分校、哥伦比亚圣地亚哥分校、华盛顿大学和卡内基·梅隆的研究人员展示了这一缺陷影响到几乎所有现代安卓装置,包括像素和三星旗舰模型,并可以在30秒内提取2FA代码。 Researchers from UC Berkeley, UC San Diego, the University of Washington, and Carnegie Mellon demonstrated the flaw affects nearly all modern Android devices, including Pixel and Samsung flagship models, and can extract 2FA codes in under 30 seconds. 攻击诡计合法应用程序显示内容,然后未经用户同意,通过像素级时间分析来重建内容。 The attack tricks legitimate apps into displaying content, then reconstructs it via pixel-level timing analysis without user consent. Google在9月的更新中发布了一个部分修正, 但研究人员确认开发可以绕过它, 预计将在12月完成完整补丁。 Google has released a partial fix in the September update, but researchers confirm the exploit can bypass it, with a full patch expected in December. 截至2025年10月14日,没有发现真实世界使用情况的证据。 No evidence of real-world use has been found as of October 14, 2025. 建议用户不断更新设备并避免使用不信任的应用程序。 Users are advised to keep devices updated and avoid untrusted apps.