Since September 2017, Google Pixel phones have been shipped with an inactive app that has "excessive system permissions" by default, according to a report by security firm iVerify. The company warns that the app could potentially be exploited to take control of a device. Google has confirmed it will remove the app.
The app, discovered by iVerify in collaboration with surveillance firm Palantir, was flagged by iVerify’s EDR (Endpoint Detection and Response) software when it detected a security issue on a Palantir Android device. After a joint investigation, the two companies identified the app in question as "Showcase.apk," which was developed by Smith Micro Software for Verizon. The app is intended to put devices into demo mode for in-store display units. According to iVerify, Showcase.apk is embedded in the firmware image, making it present on "a significant percentage" of Pixel devices worldwide.
The app is hidden and inactive by default, and must be manually activated to be exploited. While iVerify believes there may be multiple ways to enable the app, the company has only disclosed one method, which requires physical access to the device. Specific details of this activation method have not been publicly shared.
iVerify explains that Showcase.apk is designed to retrieve a configuration file over HTTP. The company warns that this configuration file could be modified before being sent to the target device. Once activated, the app runs with deep system privileges, allowing remote code execution and making the device vulnerable to man-in-the-middle attacks, code injection, and spyware. "If Showcase.apk is enabled, the operating system becomes highly susceptible to exploitation," iVerify stated in a press release. The company reported the vulnerability to Google in May, according to tech website Wired.
In its response to Wired, Google confirmed that Showcase.apk was indeed created for Verizon store demos but is no longer in use. Google also stated that there is no evidence of the vulnerability being actively exploited. The company plans to remove the app from all Pixel devices through a software update "in the coming weeks." As of now, Google has not issued a public advisory regarding the issue.
Palantir, which assisted in the investigation, announced that it will phase out Android devices internally due to concerns raised by this incident. "Google’s integration of third-party software into Android firmware without proper disclosure creates significant security risks for users," said Dane Stuckey, Palantir’s Chief Information Security Officer. He added that interactions with Google during the disclosure process "severely damaged our trust in the Android ecosystem" and confirmed Palantir’s decision to move away from using Android in their enterprise operations.
English (US)