New Vulnerability in Android Could Lead to Crypto Wallet Exposures
Security/Tech

New Vulnerability in Android Could Lead to Crypto Wallet Exposures

A recently discovered vulnerability in Android may allow malicious apps to access sensitive information such as recovery phrases and 2FA codes from other apps.

Trade with eToro

Trade with eToro

Open an account

Trade on XM

Trade on XM

Open an account

New Android Vulnerability Unveiled

Researchers have discovered a critical vulnerability in Android that empowers malicious applications to extract sensitive on-screen information, such as recovery phrases for crypto wallets and two-factor authentication (2FA) codes.

Overview of the Vulnerability

This vulnerability, identified in a research paper, introduces an attack vector called ‘Pixnapping’ that exploits Android APIs to calculate the pixel content displayed by other applications. It does not simply involve one app accessing another’s display but requires sophisticated manipulation of how information is visually rendered on the screen.

This method obscures all but a single pixel of interest, allowing the malware to determine that pixel’s color, effectively reconstructing private details over time. Although this attack is time-consuming, it poses a serious risk, particularly for information displayed for extended periods.

Implications for Crypto Wallet Security

One significantly vulnerable data type is the recovery phrases used in crypto wallets. These phrases grant complete access to associated wallets and are often written down for safekeeping. Testing revealed the attack could accurately recover 2FA codes on popular devices like the Google Pixel series, demonstrating its potential danger if recovery phrases are left visible.

“Our attack correctly recovers the full 6-digit 2FA code in 73%, 53%, 29%, and 53% of the trials on the Pixel 6, 7, 8, and 9, respectively. The average time to recover each 2FA code is around 14 to 25 seconds for these devices.”

Google’s Efforts and Recommendations

The researchers conducted tests on devices running Android versions from 13 to 16. While Google has attempted to address the problem by limiting how many activities an app can blur simultaneously, researchers reported discovering a workaround that still enables this vulnerability. Google acknowledged the severity of the issue and has begun coordinating with Samsung on further mitigations.

Conclusion

To safeguard against such vulnerabilities, it is advisable not to display sensitive recovery phrases on Android devices or any internet-capable device. Instead, utilizing a hardware wallet can significantly enhance security by signing transactions separately from the computer or smartphone environment.

“Simply don’t use your phone to secure your crypto. Use a hardware wallet!”

Next article

Understanding Dollar-Cost Averaging in Cryptocurrency Investments

Newsletter

Get the most talked about stories directly in your inbox

Every week we share the most relevant news in tech, culture, and entertainment. Join our community.

Your privacy is important to us. We promise not to send you spam!