Issue with Google Pixel Devices Due to Vulnerable Application, Endangering Millions of Users
A significant number of Google’s own Pixel devices distributed worldwide since September 2017 contained inactive software that could potentially enable malicious attacks and deploy various types of malicious software.
The problem arises from a pre-installed Android application named “Showcase.apk” that possesses excessive system authorizations, allowing for the remote execution of code and installation of arbitrary packages on the device, as highlighted by mobile security firm iVerify.
“The software fetches a configuration file via an insecure connection and can be manipulated to run code at the system level,” as noted in an analysis jointly released by iVerify, Palantir Technologies, and Trail of Bits.
“The app fetches the configuration file from a solitary U.S.-based, AWS-hosted domain over an unencrypted HTTP connection, which makes both the configuration and the device vulnerable.”
The problematic application is identified as Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), which has been granted nearly thirty-six distinct permissions based on data uploaded to VirusTotal in February, including location and external storage. Reports on Reddit and XDA Forums indicate that this application has been available since August 2016.
The crux of the issue lies in the app’s method of obtaining a configuration file via an unencrypted HTTP connection instead of a secure HTTPS connection, thereby creating an opportunity for tampering while in transit to the target device. However, there is no evidence suggesting that this vulnerability has been exploited in the wild.
 |
| Permissions requested by the Showcase.apk app |
It should be emphasized that this application is not a product of Google but rather originates from an enterprise software developer named Smith Micro, designed specifically for demo purposes. The reason for third-party software inclusion in Android firmware remains unclear, but a Google representative mentioned that the application is mandated and owned by Verizon for all Android devices.
Consequently, this flaw exposes Android Pixel smartphones to man-in-the-middle (MitM) attacks, empowering malicious entities to introduce malicious code and spyware.
Additionally, aside from operating with significant privileges at the system level, the application “lacks the authentication or verification of a statically defined domain when fetching the application’s configuration file” and “employs insecure default variable initialization during certificate and signature verification, leading to valid verification checks even after a failure.”
Despite this, the severity of the flaw is partially mitigated by the fact that the application is not activated by default, although it has the potential to be activated only if a threat actor physically accesses the target device and enables developer mode.
“Given that this application is not originally malicious, most security tools may overlook it and fail to label it as malicious, and since the app is installed at the system level and integrated into the firmware image, it cannot be uninstalled at the user level,” stated iVerify.
In a response shared with The Hacker News, Google clarified that this is not an Android platform or Pixel vulnerability but relates to a package designed for Verizon in-store demo devices. The tech giant further confirmed that the application is no longer in use.
“Exploiting this app on a user’s device necessitates both physical access to the device and the user’s password,” stated a Google spokesperson. “There is no evidence of any active exploitation. As a precautionary measure, we will eliminate this from all supported Pixel devices currently in the market through an upcoming software update. Note that the app is absent in Pixel 9 series devices. We are also informing other Android OEMs.”
About Author
