Millions of Pixel Phones at Risk: Pre-installed App Vulnerability

iVerify has identified a vulnerability in the Showcase.apk application, which has been pre-installed on millions of Pixel devices worldwide since September 2017. The application’s excessive system privileges enable the possibility of remote code execution and the installation of malicious packages on the device.

iVerify experts, along with partner companies Palantir Technologies and Trail of Bits, conducted a thorough investigation, revealing that Showcase.apk is part of the Pixel devices’ firmware and is included in OTA (over-the-air) images. Google has yet to offer a fix for the issue, and the application cannot be removed through standard methods.

According to iVerify, the application was developed by Smith Micro Software, a Pennsylvania-based company specializing in remote access software and parental control tools. Showcase.apk was originally intended for store employees to demonstrate device functionality. Representatives from Smith Micro have declined to comment on the findings.

The application downloads configuration files from a single domain via an unsecured HTTP protocol, allowing for the files to be intercepted during transmission. An attacker could interfere with the data transfer and inject malicious code, which would execute commands with system privileges, granting the hacker full control over the device. Additionally, the application does not verify the authenticity of the domain from which the configuration files are downloaded, further exacerbating the issue.

During the technical analysis, experts uncovered flaws in the code of Showcase.apk. For instance, the application does not properly validate certificates and signatures, allowing a cybercriminal to bypass verification processes when downloading files. The application also uses predictable URLs to communicate with the remote server, making it easier for hackers to exploit.

In light of these events, Palantir Technologies, one of the largest data analytics companies serving U.S. intelligence agencies, has refrained from using Android devices in favor of iPhones within the company for several years. While the application is inactive by default on most devices and requires manual activation, there remains the possibility that Showcase.apk could be activated by other means.

iVerify compares the discovered vulnerability to the recent global Windows outage caused by issues in CrowdStrike’s software. The Showcase.apk vulnerability could also lead to widespread consequences due to the error being deeply embedded within the system.

iVerify reported the issue to Google over three months ago, but the corporation took no action to address the flaw until recently. Only after the report’s publication did Google promise to release an update that would remove the dangerous application from supported Pixel devices. A Google representative stated that notifications about the issue would also be sent to other Android device manufacturers.

Google has not yet recorded any cases of the vulnerability being exploited through Showcase and assures that its activation requires physical access to the device and the user’s password. However, Palantir representatives believe that the mere presence of such an application on Google Pixel devices is concerning, as these phone models are considered the most secure among Android devices. It is also unclear why Google pre-installs the application on all Pixel devices when it is used in only a limited number of cases.

Amid the rising number of such incidents, experts are calling for stronger measures to ensure the security of embedded software, as well as a more transparent process for development and testing.