Keep Your Android Phone Safe From Pixnapping - DTNS 5124

TOM: This is the Daily Tech News for Tuesday, October 14, 2025. We tell you what you need to know, follow up on the context of those stories and help each other understand.

JENN: Today, we walk you through the Pixnapping exploit for Android, what you do and do not need to worry about, and how to avoid falling victim to it.

I’m Tom Merritt,

I’m Jenn Cutter.

TOM: Let’s start with what you need to know with the big story.

[[BIG STORY]]
[[SOLO story of the day. Basic details, monitor commentary and sound when possible.]]

Hackers can steal 2FA codes and private messages from Android phones – Ars Technica
Hackers can steal 2FA codes and private messages from Android phones : r/DailyTechNewsShow

TOM: You should always be careful what apps you install on your devices, but here's an extra reason for Android users to be careful. Thanks to lujuan73 on our subreddit for calling attention to this one.

Scientists from the University of California at Berkeley, the University of Washington, the University of California at San Diego, and Carnegie Mellon University presented a paper this week at the 32nd ACM Conference on Computer and Communications Security. The paper is called "Pixnapping: Bringing Pixel Stealing out of the Stone Age."

The team's exploit requires the victim to install a malicious app. So that's your first line of defense. Don't install a malicious app. Sounds easy, but of course, if people didn't get tricked into installing malicious apps all the time, this wouldn't be much of a concern.

Once installed, the app that takes advantage of the Pixnapping exploit can read any data displayed on the screen without needing special system permissions.

It does this by invoking Android programming interfaces that cause the targeted app to send sensitive information, say a multifactor code, into Android's rendering pipeline to be displayed on screen. The app then runs graphical operations on the pixels on screen (like drawing a transparent piece of content over the other content) and exploits a side channel in the GPU, usually the known GPU.zip side channel. To oversimplify, the time it takes for a frame to be rendered on the screen behind the transparent image, can be used to deduce whether a pixel is white or not. The app can use that information to map pixels to letters, numbers, or shapes, thus letting it deduce what information the app sent.

The attack takes time, so had to be refined to work in the 30 seconds in which a multifactor code is shown on screen before it changes. They were able to do this on the Pixels but not the Galaxy S25.

Obfuscated or hidden information that is not displayed on screen cannot be accessed.

The exploit works on the Google Pixel and Samsung Galaxy S25. Google released partial mitigations in the September Android security bulletin, but a modified version of the exploit can still work. Google says further mitigations are coming in the December Android security bulletin. No in-the-wild exploits have been discovered.

[[DISCUSS]]

JENN: DTNS is made possible by you the listener. Thanks to
Dale Mulcahy
Matt Zaglin
Jeff Wilkes
New Patron: Razvan
And a raise from: Pete

[[BREAK]]
[[PAUSE]]

TOM: There’s more we need to know today, let’s get to the briefs.

[[BRIEFS]]
[[3–9 more solo reads with sound to complete the day in tech news. These are informational with minor commentary.]]

Windows 10 support ends today, but here's how to get an extra year for free

JENN: Just a reminder that Windows 10 officially is out of support and therefore end of life as of now, October 14th. Your PC will continue to work, it just won't get any more updates.

Your options are to:

• Upgrade to Windows 11, if your machine supports it. (Or buy a PC that does)
  
  

• Enroll in Extended Security Updates for Windows 10, which will be provided until October 13th, 2026. You can get those for free by agreeing to use Microsoft cloud backups, use 1,000 Microsoft Rewards points or paying $30.
  
  

Nvidia to Start Selling $3,999 DGX Spark Mini PC This Week | PCMag
NVIDIA starts selling its $3,999 DGX Spark AI developer PC
Nvidia unveils its vision for gigawatt 'AI factories' based on its Vera Rubin architecture – SiliconANGLE

Tom: At the 2025 OCP Global Summit in San Jose, Nvidia said it is donating its Vera Rubin NVL144 architecture to the Open Compute Project as an open standard. It is a more power-efficient rack server architecture designed to support the Vera Rubin GPUs coming in 2027.
And while we're talking about Nvidia, the company will begin selling its DGX Spark desktop (aka Project DIGITS) on October 15th. The $3,999 desktop 2.6-pound PC runs Nvidia's DGX OS, a custom version of Ubuntu. It has a GB10 super chip, which combines a 20-core Grace CPU with a Blackwell GPU and 128GB of LPDDR5x memory. That and custom software will let scientists run powerful models locally. Versions of the desktop from other vendors like Dell, HP, Lenovo and ASUS were shown at Computex, and should be coming soon. Nvidia is also working on a model with a GB300 Grace Blackwell Ultra Desktop Superchip, with 20 petaflops of performance and 784GB of unified system memory.

Microsoft debuts its first in-house AI image generator

JENN: Microsoft debuted its first in-house image generator, called MAI-Image-1. It specialises in generating photorealistic images with natural lighting and landscapes. The model is being tested on LMArena, with plans to roll out to Copilot and Bing Image Creator soon.

OpenAI and Broadcom partner on AI hardware | TechCrunch
OpenAI is making its own AI chips with Broadcom's help
OpenAI partners with Broadcom custom AI chips alongside Nvidia, AMD
Oracle, AMD Partner on New AI Chip Deal – WSJ

TOM: OpenAI announced Monday that it has partnered with Broadcom for 10 gigawatts worth of custom-designed AI accelerator racks that will be deployed to OpenAI data centers and partner data centers from 2026 through 2029. Since the beginning of September, OpenAI signed deals for 6 Gigawatts of chips from AMD, 10 Gigawatts from Nvidia, and an infrastructure deal with Oracle. Deployments are to begin in the second half of 2026 as well. OpenAI is expected to have 2GW of capacity by the end of this year, but these deals are part of a goal to reach 250GW of capacity in the next 8 years. That would cost $10 trillion. OpenAI is expected to make $13 billion in revenue this year. Meanwhile, AMD is partnering with Oracle to deploy 50,000 MI450 chips in Oracle's data centers by Q3 next year.

Satellites found exposing unencrypted data, including phone calls and some military comms | TechCrunch
T-Mobile customer call and text data captured from satellite comms

JENN: Scientists at UC San Diego and the University of Maryland discovered that by using an $800 off-the-shelf satellite receiver, they could monitor unencrypted data from satellites used for routing voice calls, text messages, and internet traffic, including WiFi from airplanes. It also included communications with critical infrastructure like energy and water. The data was in an obscure format, which they needed three years to consistently decode. The scientists alerted providers, including AT&T and T-Mobile, which have since encrypted the traffic, though not everyone they contacted has done so.

Supreme Court rejects Grindr liability case

TOM: The US Supreme Court has declined to hear appeals to a second case that challenged Section 230 safe harbor protections for internet companies. Previously, it declined to hear a case holding Meta accountable for the radicalization of a mass shooter. This time, it declined to hear an appeal holding a dating app accountable for connecting a minor with adults who were later convicted of sex crimes against the minor. In both cases, lower courts ruled that the platform was not responsible for the conduct of its users.

The Pixel 10's app crash nightmare is finally over
Samsung halts Android 16 update for all Galaxy S22 users

JENN: Good news and bad news for Android phone users.
Android Police reports that Google has made a server-side change that stops apps from crashing on Pixel 10 devices. Android Police shared detailed logs with Google to help the company identify the problem in an update to Google Play services that was causing the intermittent bug. However, Samsung has stopped the rollout of One UI 8 for users of the older Galaxy S22. Samsung has not explained why.

Dutch Seized Nexperia After US Demanded Ouster of Chinese CEO – Bloomberg
China Puts Export Controls on Nexperia After Dutch Takeover – Bloomberg

TOM: The government of the Netherlands used a never-before-invoked cold war era law to take over automobile chipmaker Nexperia after the US warned that it would need to replace its Chinese CEO or go on a sanctions list. In response, China put export controls on Nexperia components coming from its Chinese factories.

TOM: And finally, some quick headlines that are just good to know if you want to understand the news in the future.

Microsoft restricts IE mode access in Edge after zero-day attacks

JENN: Microsoft has made it more difficult to activate the Internet Explorer mode in the Edge browser after discovering attackers exploiting a zero-day vulnerability in the mode.

TP-Link confirms successful Wi-Fi 8 trials — next-gen wireless standard to usher in advances in reliability and latency | Tom's Hardware

TOM: TP-Link announced it has conducted its first successful trial of WiFi 8 hardware, which would bring reliability improvements over WiFi 7.

Apple’s streaming service gets harder to tell apart from its streaming app, box – Ars Technica

JENN: In a press release for the streaming version of the F1 movie, Apple noted that Apple TV Plus is now just called Apple TV.

Dashlane Partners with Yubico in a First for Security Keys – Thurrott.com

TOM: Password manager Dashlane is partnering with Yubico to let users use their FIDO 2 YubiKey as the primary authentication for passwordless access to their vault.

AI-written web pages haven't overwhelmed human-authored content, study finds

JENN: Analysis from Graphite found that while the percentage of AI-generated articles rose sharply after the launch of ChatGPT in November 2022, the percentage converged in November 2024 and has been roughly equal ever since.

Anduril's new EagleEye MR helmet sees Palmer Luckey return to his VR roots | TechCrunch

TOM: Anduril Industries, headed by Oculus founder Palmer Luckey, announced "EagleEye" on Monday, a system that can deliver live video, sensor data alerts and more into a soldier's helmet.

Google to invest $15B in Indian AI infrastructure hub | TechCrunch

JENN: Google will invest $15 billion in a 1-gigawatt data center in India to be built within the next five years.

Instagram to show PG-13 content by default to teens, adds more parental controls | TechCrunch

TOM: Instagram will now restrict content shown to those younger than 18 in Australia, Canada, the UK, and the US, to the same standards as the US PG-13 rating, which does not allow extreme violence, sexual nudity, and graphic drug use.

Spotify rolls out controls to keep kids music out of your algorithm | The Verge

JENN: And family users of Spotify in seven countries can soon make managed accounts for children that can filter out adult music and content, and keep the kids' songs from affecting their recommendations.

[[PROMO]]

TOM: Join in the conversation in our Discord, which you can join by linking to a Patreon account at patreon.com/dtns

[[BREAK]]
[[PAUSE]]

[[HELPING EACH OTHER UNDERSTAND]]
[[Short missives from people with experience. Could be written email or pre-recorded from the person.]]

JENN: We end every episode of DTNS with some shared wisdom. Today Rob has some thoughts on AI helping productivity.

TOM: Responding to Friday’s discussion on AI productivity, Rob Bugslife commented:
With the news items today, the stuff Jenn mentioned and that I have seen at my own job, I'm not sure I can trust any of the reports of "efficiencies gain" when being self report by companies. When employees are told to find ways to use these tools and report back on gained efficiencies, they will find ways to at least appear to be following orders cause they don't want to lose their jobs. Which means to mean a lot of that data in the future may be artificially boosted.
From my own experience there are no doubt benefits, but I would be lying if I said it added more than 15% maybe 20% efficiency for some tasks, definitely not to everything.
Keep sharing and thanks keeping everything levelheaded.

[[DISCUSS]]

JENN: What are you thinking about? Got some insight into a story? Share it with us feedback@dailytechnewsshow.com

TOM: Thanks to Rob for contributing to today’s show. And thank YOU for being along for Daily Tech News Show. You can keep us in business by becoming a patron, atPatreon.com/dtns

Plus we discuss the improbably large deals OpenAI is signing and how Section 230 is being protected by the US Supreme Court.

Starring Tom Merritt and Jenn Cutter.