Security researchers have discovered a new vulnerability that has been affecting Google Pixel devices for several years. As it turns out, an Android application package that has been shipped with Google Pixel devices since 2017 has left them vulnerable due to unnecessary system permissions.
Google Pixel devices vulnerable to RCE attacks
Researchers at iVerify have published a detailed post highlighting a serious security flaw in Google Pixel devices. They found that the Android APK “Showcase.apk”, which has been pre-installed on Google Pixel since 2017, made the devices vulnerable to code execution attacks due to excessive system permissions.
More specifically, this APK is pre-installed with the firmware image of the Pixel devices. The researchers describe the background as follows:
The Showcase.apk package was developed by Smith Micro, a software company operating in the Americas and EMEA that offers software packages for remote access, parental controls and data erasure tools.
Although the app itself is not malicious, it has a risky feature such as retrieving configuration files through an insecure HTTP connection. This is why the app is not detected by most security programs.
However, since the app runs at the system level, an attacker can exploit the APK to conduct MiTM attacks, inject malicious code, or deploy spyware. Additionally, the app’s integration at the firmware level means the end user may not be able to manually remove it from the device.
Another aspect that makes this app suspicious is the unnecessary device access considering its purpose – turning the device into a demo device.
The researchers published further details of these findings in a separate report.
Google will look into the matter
iVerify responsibly reported the matter to Google and continued publishing after the 90-day deadline expired. Initially, it remained unclear whether Google intends to fix the bug. However, in a recent statement, the tech giant confirmed that it will fix this issue with future updates and clarified that the issue is not a “security vulnerability.” According to its statement,
Exploitation of this app on a user’s phone requires both physical access to the device and the user’s password. We have not seen any evidence of active exploitation. As an abundance of caution, we will be removing this from all supported Pixel devices in the market with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android OEMs.
The researchers also confirmed that the app is disabled by default on most devices. The threat could become real if the app is manually enabled, which is difficult for most users. With future operating system updates from Google to remove the app, the vulnerability will likely no longer pose a threat to Google Pixel users. However, users must ensure that they promptly update their devices as soon as they receive updates. System updates.
Let us know your thoughts in the comments.
