Google will remove a built-in app from its Pixel phones, more than 90 days after intelligence service provider Palantir and mobile security company iVerify raised concerns about a serious vulnerability in the software, Google said Wednesday evening.
The application in question, Showcase.apk, was intended to help employees selling Pixel phones demonstrate features of the phone, iVerify says. But when the normally inactive app is activated, it accesses information from an Amazon Web Services site using the less secure HTTP protocol, making it vulnerable to hackers.
The information about the Pixel app vulnerability was revealed Thursday in a report by iVerify, which was broadcast by Palantir and security firm Trail of Bits. Palantir said it notified Google of the issue more than 90 days ago and its concerns were ignored. Palantir subsequently stopped issuing Android phones to employees due to concerns about the software’s security.
Google said in an email to CNET that the app was developed for Verizon by a third-party developer, Smith Micro, and said it was not an Android or Pixel vulnerability because it was only used for in-store devices. The company said the app is no longer in use.
“Exploiting this app on a user’s phone requires both physical access to the device and the user’s password,” a Google spokesperson told CNET. “We have not seen any evidence of active exploitation. As an abundance of caution, we will be removing this from all supported Pixel devices in the market with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android OEMs.”
The news of a potential security issue with Pixel phones comes the same week that Google unveiled its new Pixel line of phones at a Made By Google event in Mountain View, California, where the company promoted its new hardware line of phones, watches and earbuds, as well as AI features in its Gemini software.
“While we have no evidence that this vulnerability is being actively exploited, it still has serious implications for enterprise environments, as millions of Android phones are deployed in the workplace every day,” said Rocky Cole, co-founder and chief operating officer of iVerify, in a briefing on the report on Thursday. “Google is essentially giving CISOs the impossible choice of embracing insecure bloatware or banning Android entirely.”
iVerify said the app in question cannot be removed by users; it is part of the firmware of Pixel phones. The app may be a problem on other non-Pixel Android devices released by Verizon that include the Showcase app.
Google said in an email that the Pixel update would be released “in the coming weeks,” but gave users no instructions on what they can do to protect their phones until then, other than protecting them from hackers.
Check this out: Google Pixel 9, 9 Pro and 9 Pro XL in hands-on
