Security researchers have found a persistent vulnerability in Google Pixel phones that has existed since 2017. This vulnerability could potentially provide hackers with a means of backdooring a device.
The vulnerability relates to a “Showcase.apk” third-party Android application package that Verizon reportedly put on Pixel phones offered for sale in the US.
A great technique to showcase a Pixel phone at Verizon stores is to use Showcase.apk to transform it into a demo device. The cybersecurity provider iVerify, however, has discovered that the same application has deep system rights, “including remote code execution and remote package installation capabilities.”
Additionally, it discovered that Showcase.apk will get a configuration file via an unencrypted HTTP connection at a predetermined URL. According to the iVerify researchers’ assessment, the application package “fails to authenticate or verify” the URL’s domain while downloading the configuration file.
Thus, by impersonating the predefined URL and diverting the connection to a malicious website intended to deliver a booby-trapped configuration file, a hacker might take advantage of Showcase.apk. This might happen if the Pixel phone joins a network that is controlled by hackers, such as a rogue Wi-Fi hotspot, to launch a “man-in-the-middle attack.”
According to iVerify, millions of Pixel devices may be impacted by the bug. Palantir Technologies, one of iVerify’s clients, “is opting to remove Android devices from its mobile fleet and transition entirely to Apple devices over the next few years,” according to iVerify, indicating that the risk is that great.
Additionally, since the app is a component of the firmware image and Google forbids end users from changing the firmware image for security reasons, consumers are unable to delete it, according to iVerify.
But according to Google, the problem isn’t as bad as the research says. Showcase.apk isn’t active by default, to start. Rather, to activate the application package, iVerify needs physical access to the Pixel phone. However, iVerify researchers told Wired that it’s feasible that malware currently present on the device may find a way to activate it.
Google clarified, saying, “This is an app that Smith Micro built for Verizon in-store demo devices and is no longer in use; it is not a vulnerability in the Pixel or Android platforms. Physical access to the phone and the user’s password are both necessary for this software to be exploited on a user’s phone. No indication of any active exploitation has been observed.
A timeline was not given, but the company also intends to use a software update to delete Showcase.apk from all impacted Pixel phones. Devices from the Pixel 9 series do not have the app. Google continued, “We are also informing other Android OEMs.”