Pixel phone owners have another concern that is separate from the phone’s network performance issues. Millions of Google Pixel devices, shipped since September 2017 to date, are vulnerable to cyberattacks due to a security flaw in a pre-installed app. A security vulnerability was discovered on an Android device used by Palantir Technologies. This discovery lead to an investigation involving iVerify and Trail of Bits. The two teams identified a pre-installed application, Showcase.apk, as the source of the vulnerability.
“It appears that Showcase.apk is preinstalled in Pixel firmware and included in Google’s OTA image for Pixel devices,” state iVerify. “The app is part of the firmware image, so millions of Android Pixel phones worldwide could have this application running at the system level,” iVerify added in a recent post.
The vulnerable “Showcase.apk” application was developed by Smith Micro, a software company based in the Americas and Europe. Smith Micro specializes in remote access, parental control, and data-clearing software.
This app compromises Pixel device’s security, leaving them susceptible to hacking attempts, including man-in-the-middle (MITM) attacks and spyware infiltration. Showcase.apk possesses extensive system permissions, enabling it to execute code remotely and install applications without user consent.
The application downloads a configuration file from a single US-based, AWS-hosted domain over unsecured HTTP. This dependency on unsecure HTTP creates a significant security vulnerability, as the file can be intercepted and modified, potentially allowing malicious code execution on the device.
Vulnerable Pixel App Can’t Be Uninstalled
Cybercriminals can take advantage and inject malicious code and dangerous spyware. Further, vulnerabilities in the app’s infrastructure can be exploited to execute code or shell commands with system privileges on Android devices to take over devices to perpetrate cybercrime and breaches.
Unfortunately, at this time, removing the app is not possible through a user’s standard uninstallation process. Google has yet to release a security patch to address the vulnerability.
READ: Android’s August Security Update Tackles Critical Vulnerabilities
The Showcase.apk application is not activated by default, however, it can be enabled through various methods, including physical access to the device. iVerify researchers successfully enabled the app using one such method. The researchers found it puzzling “Why Google installs a third-party application on every Pixel device when only a very small number of devices would need the Showcase.apk,”
