Mobile apps have significantly transformed various aspects of modern life, leading to growing concerns about privacy risks. Despite widespread encrypted communication, app fingerprinting (AF) attacks threaten user privacy substantially. However, existing AF attacks, when targeted at wireless traffic, face four fundamental challenges, namely 1) sample inseparability; 2) app multiplexing; 3) signal attenuation; and 4) open-world recognition. In this paper, we advance a novel AF attack, dubbed PacketPrint, to recognize app user activities over the air in an open-world setting. We introduce two novel models, i.e., sequential XGBoost and hierarchical bag-of-words model, to tackle sample inseparability and enhance robustness against noise packets arising from app multiplexing. We also propose the environment-aware model enhancement to bolster PacketPrint’s robustness in handling packet loss at the sniffer caused by signal attenuation. We conduct extensive experiments to evaluate the proposed attack in a series of challenging scenarios, including 1) open-world setting; 2) simultaneous use of different apps; 3) severe packet loss at the sniffer; and 4) cross-dataset recognition. The experimental results show that PacketPrint can accurately recognize app user activities. It achieves the average F1-score 0.947 for open-world app recognition and the average F1-score 0.959 for in-app user action recognition.