Pixnapping: Bringing Pixel Stealing out of the Stone Age
Alan Wang
Abstract:
Pixnapping is a new class of attacks that allows a malicious Android app to stealthily leak information displayed by other Android apps or arbitrary websites. Pixnapping exploits Android APIs and a hardware side channel that affects nearly all modern Android devices. We have demonstrated Pixnapping attacks on Google and Samsung phones and end-to-end recovery of sensitive data from websites including Gmail and Google Accounts and apps including Signal, Google Authenticator, Venmo, and Google Maps. Notably, our attack against Google Authenticator allows any malicious app to steal 2FA codes in under 30 seconds while hiding the attack from the user.
Bio:
Alan Wang is a first year PhD student advised by Professor Christopher W. Fletcher at UCB. Alan's interest primarily lies in side-channel attacks and defenses.