Google’s flagship Pixel smartphone line touts security as a core feature, offering guaranteed software updates for seven years and running stock Android, which is supposed to be free of third-party add-ons and bloatware. But on Thursday, researchers at mobile security firm iVerify published findings about an Android vulnerability that appears to have been present in all Pixel versions of Android since September 2017 and could expose devices to tampering and control.
The issue is related to a software package called “Showcase.apk” that runs at the system level and remains hidden from users’ eyes. The app was developed by enterprise software company Smith Micro for Verizon as a mechanism to put phones into demo mode in a retail store; it is not Google software. However, it has been present in every version of Android for the Pixel for years and has broad system privileges, including remote code execution and remote software installation. Even riskier, the app is designed to download a configuration file over an unencrypted HTTP web connection that iVerify researchers say could be hijacked by an attacker to take control of the app and then the victim’s entire device.
iVerify disclosed its findings to Google in early May, and the tech giant has yet to release a fix for the issue. Google spokesperson Ed Fernandez told WIRED in a statement that Showcase is “no longer being used” by Verizon, and Android will remove Showcase from all supported Pixel devices with a software update “in the coming weeks.” He added that Google has seen no evidence of active exploitation, and that the app is not present on the new Pixel 9 series devices that Google announced this week. Verizon and Smith Micro did not respond to WIRED’s requests for comment ahead of publication.
“I’ve seen a lot of Android vulnerabilities, and this one is unique in some ways and quite concerning,” says Rocky Cole, COO of iVerify and a former analyst with the U.S. National Security Agency. “When Showcase.apk runs, it has the ability to take control of the phone. But the code is, frankly, shoddy. It raises questions about why third-party software running with such high privileges in the deepest parts of the operating system wasn’t tested more thoroughly. It seems to me that Google has been pushing bloatware onto Pixel devices around the world.”
iVerify researchers discovered the app after the company’s threat detection scanner detected an unusual Google Play Store app validation on a user’s device. The client, big data analytics firm Palantir, worked with iVerify to investigate Showcase.apk and disclose the findings to Google. Palantir’s chief information security officer, Dane Stuckey, says the discovery and what he describes as Google’s slow and opaque response has led Palantir to phase out not just Pixel phones, but all of the company’s Android devices.
“Google’s embedding of third-party software into Android firmware and failure to disclose it to vendors or users creates a significant security vulnerability for anyone who relies on this ecosystem,” Stuckey told WIRED. He added that his interactions with Google during the standard 90-day disclosure period “severely eroded our trust in the ecosystem. To protect our customers, we have had to make the difficult decision to move away from Android in our enterprise.”