BOOK THIS SPACE FOR AD
ARTICLE ADA critical 7-year-old security flaw in a pre-installed app on millions of Google Pixel devices has been exposed. The vulnerability allows for potential remote code execution and data breaches. While Google has acknowledged the issue, the delay in addressing this serious threat has raised concerns about user safety.
Researchers at Iverify have discovered a critical vulnerability that has been lurking within Pixel devices since 2017, potentially putting millions of Google Pixel users at risk. The vulnerability lies in a pre-installed app with unnecessary system privileges, allowing attackers to inject malicious code and potentially take over devices.
The app in question is Showcase.apk, designed for Verizon by Smith Micro, an American software company that provides remote access, parental control, and data-clearing tools. This app is supposed to be used to turn Pixels into demo devices. However, it includes a backdoor that gives attackers a way to compromise the device.
iVerify’s EDR capability identified an Android device at Palantir Technologies as unsecure, leading to an investigation involving Palantir and Trail of Bits, which revealed that the Showcase.apk Android application package makes the operating system vulnerable to hackers, allowing man-in-the-middle attacks, code injection, and spyware.
Despite not being a Google creation, Showcase has held deep-rooted system privileges, including the alarming ability to execute code remotely and install software without user consent.
This vulnerability could result in billions of dollars in data loss breaches. To make matters worse, the app downloads configuration files over an unprotected HTTP connection, a glaring security oversight that could allow attackers to hijack the app and gain complete control of the device.
What happens is that the application package retrieves a configuration file via unsecured HTTP, enabling it to execute system commands or modules that could open a backdoor, allowing cybercriminals to compromise the device. As it is not inherently malicious, security technology may overlook it, and the app is installed at the system level and part of the firmware image, making it uninstallable at the user level.
For your information, Showcase.apk is a system-level code that transforms a phone into a demo device, altering the operating system. It runs in a privileged context, causing issues such as not authenticating a domain, using unsecure default variable initialization, altering configuration files, handling non-mandatory files, and communicating insecurely with a predefined URL over HTTP.
While the exact purpose of the app being pre-installed on Pixels remains unclear, it creates a significant security risk for users. The app cannot be uninstalled through standard methods. Though Google has acknowledged the issue and promised a fix, the delay in addressing this critical vulnerability has raised concerns.
“This is not an Android platform nor Pixel vulnerability, this is an apk developed by Smith Micro for Verizon in-store demo devices and is no longer being used,” a Google spokesperson stated. “Exploitation of this app on a user’s phone requires both physical access to the device and the user’s password. We have seen no evidence of any active exploitation.”
Google mentioned that it would inform other Android OEMs about the APK and pointed out that the Showcase app, owned by Verizon, is mandatory on all Android devices sold by Verizon.
“Why Google installs a third-party application on every Pixel device when only a very small number of devices would need the Showcase.apk is unknown,” iVerify researchers wrote in their blog post.
It’s important to note that Showcase is disabled by default, requiring physical access to a device and knowledge of the system password to activate. However, the potential for remote exploitation cannot be ruled out, especially considering the sophistication of modern cyberattacks.
Commenting on this, Sergio A. Figueroa, Senior Security Consultant at the Synopsys Software Integrity Group, said, “When you buy a new smartphone, you trust it. You expect the hardware and the operating system to work as expected and not to come with any obvious vulnerabilities but if there are any, you expect to receive timely updates that mitigate them, at least for a few years.”
“But how far must that trust be stretched?” Sergio argued. “Different actors may want to put their twist on the system. The original equipment manufacturer (the likes of Samsung, Nokia, or HTC) will change the user interface and create a few applications of its own. The mobile carrier or the retailer who sells you the phone may add just a few apps to the mix. Some of these actors may enter into agreements with third parties to ship specific applications or services,” he said.
“Because of the way these customisations are built into the smartphones, it is hard for most users to get rid of the ones they don’t like. In other words, users are asked to stretch their trust: not only do they have to trust the operating system, but also a bunch of applications they may or may not need and that may or may not follow particular quality and security standards,“ explained Sergio. “Even if the operating system is guaranteed to receive security updates for a few years, this is not guaranteed for the weather app installed by the mobile carrier.“
“These preinstalled utilities become a liability: they are installed on many devices, they are hard to remove or disable, and they are not subject to the same security standards as the actual operating system. Hearing they are vulnerable, and that the vulnerability affects large numbers of users should come as no surprise. There is little point in promising seven years of security updates at the operating system level if it is going to be bundled with software that is unburdened by that promise,” he concluded.