Android devices are vulnerable to a new attack that can covertly steal two-factor authentication codes, location timelines, and other private data in less than 30 seconds. The malicious app then runs graphical operations on individual pixels of interest to the attacker. “Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping,” the researchers wrote on an informational website. “Conceptually, it is as if the malicious app was taking a screenshot of screen contents it should not have access to. In the first, the malicious app invokes Android APIs that make calls to the app the attacker wants to snoop on.