An alarming new warning for Android users has just been issued, after the discovery of “a serious security vulnerability that impacts Pixel devices globally… leaving millions of devices susceptible to man-in-the-middle (MITM) attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware.”
The warning from smartphone security specialist iVerify concerns the Showcase app pre-installed on tens of millions of Pixel devices. Markedly, the vulnerability was first flagged on a device at highly secure Palantir, with iVerify noting “the application runs at the system level and can fundamentally change the phone’s operating system. Since the application package is installed over unsecured HTTP protocols, this opens a backdoor, making it easy for cybercriminals to compromise the device.”
Palantir has added its weighty voice to iVerify’s, with CISO Dane Stuckey saying “we’re supporting some of the most important institutions in the Western world. Google embedding third-party software in Android’s firmware without reviewing the quality or security of these apps, and not disclosing this to vendors or users, creates significant security vulnerability to anyone who relies on this ecosystem.”
Such was the concern about the lack of transparency and inability to delete this app, that iVerify Co-founder and COO Rocky Cole warned it “has serious implications for corporate environments, with millions of Android phones entering the workplace every day. Google is essentially giving CISOs the impossible choice of accepting insecure bloatware or banning Android entirely.”
A pre-installed app with any security weaknesses is a disaster waiting to happen, albeit iVerify acknowledges that “we don’t have evidence this vulnerability is being actively exploited.” The reason for the heightened concern is that the app “is designed to retrieve a configuration file over unsecured HTTP… to execute system commands or modules that could open a backdoor, making it easy to compromise the device.” Because the app is not itself malicious, just poorly built, “most security technology may overlook it… and since the app is installed at the system level and part of the firmware image, it can not be uninstalled at the user level.”
iVerify told me it “notified Google with a detailed vulnerability report following their 90-day disclosure process,” albeit at the time it was still “unclear when Google will issue a patch or remove the software from the phones to mitigate the potential risks.”
Notwithstanding there being “no evidence of any active exploitation,” Google assured me it is taking action, telling me that “out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update. The app is not present on Pixel 9 series devices.” And while iVerify’s report focused on Pixel, Google also said it is “notifying other Android OEMs.”
In terms of the origins of the app, Google told me “this is not an Android platform nor Pixel vulnerability, this is an apk developed by Smith Micro for Verizon in-store demo devices and is no longer being used. Exploitation of this app on a user phone requires both physical access to the device and the user’s password.”
The specific concerns that prompted iVerify’s report include lack of authentication during retrieval of the configuration file, no checks on the integrity of that file before loading it onto the phone, and insecure transmission—thus the MITM vulnerability.
iVerify acknowledges the “demo” nature of the Showcase app, “which fundamentally changes the way the operating system works,” albeit “the app runs in a highly privileged context, which is unnecessary for the intended purpose of the application.”
Ahead of Google’s mass deletion, iVerify warns that “users cannot do anything to protect themselves from this vulnerability because it is part of the firmware image. Only Google can fix it. That is why this package gives users a very difficult choice between accepting the vulnerability or not using Pixel phones at all.”
This warning clearly comes at a awkward time for Google, with this week’s Pixel 9 launch and the ongoing battle between Pixel and Samsung for Android AI supremacy, and with Apple ahead of its iPhone 16 launch in the wider premium category.
The answer to iVerify’s question as to “why Google installs a third-party application on every Pixel device when only a very small number of devices would need it” remains unclear. But that concern, it says, “is serious enough that Palantir, who helped identify the security issue, is opting to remove Android devices from its mobile fleet and transition entirely to Apple devices over the next few years.”
All told, a trickier than expected end to Pixel launch week for Google.