Google Pixel phones sold since September 2017 include a dead app with “excessive system permissions” by default. This has been reported by security firm iVerify. According to iVerify, the app could theoretically be used to take control of the device. Google will remove the app.
The app in question was discovered by iVerify in collaboration with surveillance firm Palantir, According to a press release About the vulnerability. iVerify’s EDR flagged a Palantir Android device as insecure. The two companies found the app after conducting a joint investigation. The app in question is called Showcase.apk and is said to have been created by Smith Micro Software for telecom provider Verizon. The app is supposed to be aimed at putting phones in beta mode for stores. iVerify says Showcase is part of the firmware image, and will therefore be present on a “very large percentage” of Pixel devices shipped worldwide.
The package is hidden and inactive by default. Therefore, the app must be manually activated before it can be exploited. According to iVerify, there may be multiple ways to enable the app. The security firm itself has investigated a physical way to enable the app. This requires physical access to the smartphone. Iverify does not share details on how to activate the app. These are general reports..
According to the security firm, Showcase.apk is designed to retrieve a configuration file over HTTP. Iverify wrote, among other things, that the configuration file can be modified before it is sent to the victim’s device. The app runs at the system level, so when it is actually activated, it has “deep system privileges.”
This includes, for example, options to execute remote code on the device in question. “If Showcase.apk is enabled, the operating system becomes vulnerable to man-in-the-middle attacks, code injection, and spyware,” iVerify wrote on Thursday. The company reported the vulnerability to Google in May. Wired Technology Site Reports.
In response to Wired, Google confirmed that the package was created for Verizon Store demos and is no longer in use. The tech giant has seen no indications that the vulnerability is being actively exploited. Google will remove the app from all Pixel devices. The company said this will happen “in the coming weeks” via a software update. The company does not have any public companies at the time of writing. consultative Published. Tweakers asked Google for additional comment.
Palantir, which helped investigate the vulnerability, says it will phase out Android devices internally. “Google building third-party software into Android firmware and not disclosing it to vendors or users creates a huge loophole for anyone who relies on this ecosystem,” said Dane Stuckey. Head of Information Security OfficeS From Palantir to Wired. He says interactions with Google during the disclosure period “seriously impacted our trust in the ecosystem.” “To protect our customers, we had to make the difficult decision to move away from Android in our organization.”
