The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.

Okay so the headline should read “Android has a permissionless side chabnel attack to reading screen contents.”

This has nothing to do with two factor codes. Who wrote this, a project manager at Oracle?

Yeah you can steal anything from anything with the means