Malicious app required to make “Pixnapping” attack work requires no permissions.
The attack seems similar to sidechannel attacks for CPUs, where you’d essentially read protected memory by observing side effects. Same idea but with pixels sent to the display.
Interesting. I wonder what it is that causes the render times to be different and how much noise there is. Maybe the solution will be to worsen timer accuracy!
they did something similar with JS timers in browsers iirc
Here I thought not giving accessibility permission, draw over apps permission among others meant I was safe.
Guess, there’s always something on the corner. More infuriating, this was disclosed in February and google has yet to completely fix the issue. I doubt I would be getting a proper fix any time sooner than march at this pace.
Yeah, so if you install an app that gives them full permissions, they can see what you’re doing on your phone.
shocking
Except attack “requires no permissions” for the app to work.
The article is pretty clear that the issue is with the Android devices themselves, not with lazy users. There is no indication that a malicious app has these permissions.
