The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.
https://f-droid.org/packages/io.nandandesai.privacybreacher
It hasn’t been updated in five years. I’m not sure of the current state of things in Android, but apps used to be able to access all kinds of personal data with zero permissions: listing all installed apps, access to sensors/accelerometers, battery level, when charger/headphones were last plugged or unplugged.
screen capture is an entirely different thing though, and that was not available without permissions for a very long time
This is true. Non-Google apps trying to read your screen had to convince users to enable Accessibility permission.
Its not actually capturing the screen though. Its display a transparent overylay on another app and using a timing side channel attack to track the pixels for the generated 2 factor auth code.