Google is patching a serious firmware-level vulnerability that has been present on millions of Pixel smartphones sold worldwide since 2017. “Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update,” the company told The Washington Post.
The issue at heart is an application package called Showcase.apk, which is an element of Android firmware that has access to multiple system privileges. Ordinarily, an average smartphone user can’t enable or directly interact with it, but iVerify’s research proved that a bad actor can exploit it to inflict some serious damage.
“The vulnerability makes the operating system accessible to cybercriminals to perpetrate man-in-the-middle attacks, malware injections, and spyware installations,” according to the company. The security firm revealed that the flaw opens the doors for remote code execution and remote package installation.
That means a bad actor can install malware on a target device without having physical access to it. Cybercriminals can subsequently launch various forms of attack depending on the malware injected, which includes, but is not limited to, stealing sensitive data or system takeover.
The core issue is that Showcase.apk downloads configuration assets over an unsecured HTTP connection, leaving it vulnerable to malicious actors. What makes it scarier is that users can’t directly uninstall it like they can remove other apps stored on their phones.
A very Pixel problem
So, how does the Google Pixel factor in the whole sequence, and not every Android phone on the planet? Well, the Showcase.apk package comes preinstalled in the Pixel firmware and is also a core component of the OTA images that Google publicly releases for installing software updates — especially during the early development process.
iVerify notes that there are multiple ways a hacker can enable the package, even though it is not active by default. Google could face some serious heat following the disclosures for multiple reasons.
First, iVerify says it notified Google about its alarming discovery 90 days before going public, but Google didn’t provide an update on when it would fix the flaw — leaving millions of Pixel devices sold worldwide at risk. Second, one of the devices flagged as unsecured was in active use at Palantir Technologies, an analytics company recently awarded a contract worth about half a billion dollars by the U.S. Department of Defense to make computer vision systems for the U.S. Army.
Now, just for the sake of clarity, it’s not Showcase.apk itself that is problematic. It’s the way that it downloads configuration files over an unsecured HTTP connection that was deemed an open invitation for hackers to snoop in. To give you an idea of the threat, Google’s Chrome browser warns users every time they visit a website using the old HTTP protocol instead of the safer HTTPS architecture.
After publishing this story, a Google spokesperson sent the following statement to Digital Trends for further clarification about the whole situation:
“This is not an Android platform, nor Pixel vulnerability, this is an APK developed by Smith Micro for Verizon in-store demo devices and is no longer being used. Exploitation of this app on a user phone requires both physical access to the device and the user’s password. We have seen no evidence of any active exploitation. Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other
This is serious
Irrespective of the threat vehicle, what could land Google in trouble is that at-risk Pixel smartphones were in active usage by a defense contractor, which could theoretically put national security at risk. It’s not hard to imagine why.
The app was made by Smith Micro for telecom giant Verizon to set phones into demo mode for retail stores. Moreover, since the app itself doesn’t contain any malicious code, it’s nigh impossible for antivirus apps or software to flag it as such. Google, on the other hand, says exploiting the flaw would require physical access and knowledge of the phone’s passcode.
iVerify, however, has also raised questions about the app’s widespread presence. When it was developed for demo units at Verizon’s request, why was the package part of Pixel firmware on devices, not just those destined for the carrier’s inventory?
Following the security audit, Palantir effectively removed all Android devices from its fleet and has shifted exclusively to iPhones, a transition that will reach completion over the next few years. Thankfully, there has been no evidence of the Showcase.apk vulnerability being exploited by bad actors.