A critical 7-year-old security flaw in a pre-installed app on millions of Google Pixel devices has been exposed. The vulnerability allows for potential remote code execution and data leakage. Although Google has acknowledged the issue, the delay in fixing this serious threat has raised concerns about user security.
Researchers at Iverify have discovered a critical vulnerability that has been lurking in Pixel devices since 2017, potentially putting millions of Google Pixel users at risk. The vulnerability lies in a pre-installed app with unnecessary system permissions, allowing attackers to inject malicious code and potentially take over devices.
The app in question is Showcase.apk, developed for Verizon by Smith Micro, an American software company that offers remote access, parental controls, and data erasure tools. This app is designed to turn Pixels into demo devices, but it contains a backdoor that attackers can use to compromise the device.
iVerify’s EDR feature identified an Android device at Palantir Technologies as insecure, leading to an investigation involving Palantir and Trail of Bits that found that the Android application package Showcase.apk leaves the operating system vulnerable to hackers, enabling man-in-the-middle attacks, code injection, and spyware.
Although Showcase is not a Google creation, it has deep-rooted system privileges, including the worrying ability to remotely execute code and install software without user consent.
This vulnerability could result in billions of dollars in data loss. To make matters worse, the app downloads configuration files over an unprotected HTTP connection, a glaring security oversight that could allow attackers to hijack the app and gain complete control of the device.
In doing so, the application package retrieves a configuration file over unsecured HTTP, which allows it to execute system commands or modules that could open a backdoor and allow cybercriminals to compromise the device. Since the app is not inherently malicious, it may be missed by security technology. The app is installed at the system level and is part of the firmware image, so it can be uninstalled at the user level.
FYI: Showcase.apk is a system-level code that turns a phone into a demo device, modifying the operating system in the process. It runs in a privileged context, which leads to issues such as failing to authenticate a domain, using an insecure default variable initialization, modifying configuration files, processing non-mandatory files, and insecurely communicating with a predefined URL over HTTP.
While the exact purpose of pre-installing the app on Pixels remains unclear, it poses a significant security risk to users. The app cannot be uninstalled using standard methods. Although Google has acknowledged the issue and promised a fix, the delay in fixing this critical security flaw has raised concerns.
“This is not an Android platform or Pixel vulnerability, but rather an APK developed by Smith Micro for Verizon demo devices in stores that is no longer in use,” a Google spokesperson explained. “Using this app on a user’s phone requires both physical access to the device and the user’s password. We have not seen any evidence of active exploitation.”
Google mentioned that it would notify other Android OEMs about the APK and pointed out that the Showcase app, which is owned by Verizon, is mandatory on all Android devices sold by Verizon.
“Why Google installs a third-party application on every Pixel device when only a very small number of devices would need the Showcase.apk is unknown,” iVerify researchers wrote in their blog post.
It is important to note that Showcase is disabled by default and requires physical access to a device and knowledge of the system password to activate. However, the potential for remote exploitation cannot be ruled out, especially given the sophistication of modern cyberattacks.
Sergio A. Figueroa, Senior Security Consultant at Synopsys Software Integrity Group, commented: “When you buy a new smartphone, you trust it. You expect the hardware and operating system to work as expected and not have any obvious vulnerabilities. However, if there are any, you expect timely updates that fix them for at least a few years..”
“But how far does that trust have to go?” Sergio argued. “Different players may want to put their own stamp on the system. The original manufacturer (like Samsung, Nokia or HTC) will change the interface and develop some of their own applications. The mobile operator or the retailer that sells you the phone may just add a few apps to the mix. Some of these players may enter into agreements with third parties to provide certain applications or services.” he said.
“Because of the way these customizations are built into smartphones, it is difficult for most users to get rid of those they don’t like. In other words, users have to expand their trust: they have to trust not only the operating system, but also a set of applications that they may or may not need, and that may or may not meet certain quality and security standards,” explains Sergio. “Even if the operating system is guaranteed to receive security updates for a few years, the weather app installed by the mobile operator is not guaranteed.”
“These pre-installed utilities are becoming a burden: they are installed on many devices, they are difficult to remove or disable, and they are not subject to the same security standards as the actual operating system. It should come as no surprise that they are vulnerable and that this vulnerability affects a large number of users. There is little point in promising seven years of operating system-level security updates if it is bundled with software that does not have that promise,” he concluded.
RELATED TOPICS
- Use of Rafel RAT puts 3.9 billion Android devices at risk
- 400 chip errors turn 3 billion Android phones into spy tools
- Android app with 1 billion users fails to fix bug; risk of malware
- New Android spyware steals data from gamers and TikTok users
- 2 out of 5 Android devices worldwide vulnerable – that’s over a billion
