If you purchased a Pixel phone between September 2017 and today, it could come with a hidden app pre-installed that exposes you to potential cyberattacks.
On Thursday, cybersecurity firm iVerify released a report detailing an app pre-installed in Pixel firmware called “Showcase.apk,” which was discovered while examining a tagged device from Palantir Technologies, one of iVerify’s clients. According to iVerify, “millions of Android Pixel phones worldwide could have this application.”
Pixel phones and all other phones on the market come with pre-installed apps, so what’s different about this one? Well, iVerify discovered a serious vulnerability in the app’s infrastructure that cybercriminals could exploit.
What could cause this Pixel vulnerability?
The Android app appears to have been developed for Verizon employees to demonstrate what phones can do. In a statement to The Washington PostGoogle spokesman Ed Fernandez said the software was “developed for demo devices in Verizon stores and is no longer used.”
Although the app is not enabled by default and “is not inherently malicious,” iVerify is not so quick to rule out the dangerous possibilities, saying, “There could be multiple methods to enable (the app).” However, Fernandez said The Washington Post that “use of this application on a user’s phone requires both physical access to the device and the user’s password.”
According to iVerify, the Android package Showcase.apk has “excessive system privileges.” These privileges could potentially enable “man-in-the-middle (MITM) attacks,” such as remote execution and installation of malicious code or spyware.
This information was enough for iVerify customer Palantir Technologies to ban Android devices in the company. Dane Stuckey, CISO of Palantir, said The Washington Post, “It was a huge breach of trust because there was untested, unsafe third-party software in there. We have no idea how it got there, so we decided to essentially ban Androids internally.”
iVerify notified Google of this vulnerability when it was first discovered earlier this year, but the published report summary states: “It is unclear when Google will issue a patch or remove the software from the phones to mitigate the potential risks.”
So far there have been no hacker attacks via Showcase.apk, but Fernandez said The Washington Post on Wednesday evening: “Out of an abundance of caution, we will be removing this from all supported Pixel devices on the market with an upcoming Pixel software update.”
In a separate reply to WiredFernandez stated that the software update would arrive “in the coming weeks,” but Google has not yet announced a specific date for the update.
While this exploit does not appear to have been used in the wild yet, it is an important reminder to always protect your mobile device and download and install relevant security updates as soon as they become available.