Google’s premium Pixel smartphone line emphasizes security as a key feature, promising software updates for seven years and using a pure Android version devoid of unnecessary third-party software. However, on Thursday, security specialists at iVerify released a report detailing a vulnerability in Android that has been present in Pixel models since September 2017, potentially allowing device manipulation and control.
The problem involves a software package named “Showcase.apk” that operates at the system level, hidden from users. Developed by Smith Micro for Verizon to enable retail store demo mode on phones, this software is not produced by Google. Nevertheless, it has been part of every Android version for Pixel, possessing extensive system permissions like remote code execution and software installation. More concerning, the app can download a configuration file via an insecure HTTP connection, which, according to iVerify, might be intercepted by an attacker to seize control of the app and consequently the device.
iVerify alerted Google about this issue in early May, and the company has not yet remedied the problem. Google’s representative Ed Fernandez informed WIRED that Verizon is no longer using Showcase and that it will be removed from all supported Pixel devices through an update “in the next few weeks.” He added that there has been no sign of active exploitation and the app does not exist on the newly revealed Pixel 9 series.
In connection to the vulnerability in Showcase, Verizon’s spokesperson George Koroneos stated, “The APK was specifically employed for retail demonstrations and is now discontinued.” Smith Micro has not returned any comments to WIRED regarding the matter before publication.
“I’ve seen a lot of Android vulnerabilities, and this one is unique in a few ways and quite troubling,” says Rocky Cole, chief operating officer of iVerify and a former US National Security Agency analyst. “When Showcase.apk runs, it has the ability to take over the phone. But the code is, frankly, shoddy. It raises questions about why third-party software that runs with such high privileges so deep in the operating system was not tested more deeply. It seems to me that Google has been pushing bloatware to Pixel devices around the world.”
iVerify researchers discovered the application after the company’s threat-detection scanner flagged an unusual Google Play Store app validation on a user’s device. The customer, big data analytics company Palantir, worked with iVerify to investigate Showcase.apk and disclose the findings to Google. Palantir chief information security officer Dane Stuckey says that the discovery and what he describes as Google’s slow, opaque response has prompted Palantir to phase out not just Pixel phones, but all Android devices across the company.
“Google embedding third-party software in Android’s firmware and not disclosing this to vendors or users creates significant security vulnerability to anyone who relies on this ecosystem,” Stuckey tells WIRED. He added that his interactions with Google throughout the standard 90-day disclosure window “severely eroded our trust in the ecosystem. To protect our customers, we have had to make the difficult decision to move away from Android in our enterprise.”
iVerify vice president of research Matthias Frielingsdorf points out that while Showcase represents a concerning exposure for Pixel devices, it is turned off by default. This means that an attacker would first need to turn the application on in a target’s device before being able to exploit it. The most straightforward way to do this would involve having physical access to a victim’s phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings. Google’s Fernandez emphasized this limiting factor as well.
“We only found a physical way of turning this on, but there might be different ways that a potential remote attacker or someone that is already on the phone with malware might turn this on and use it for privilege escalation,” Frielingsdorf says. “For our knowledge, physical access limits the danger. If I knew a clear remote way to do this, I would not want to do public disclosure because then millions of people’s devices would be in danger.” He adds that iVerify is limiting the technical details it releases about the issue until Google pushes its fix.
The iVerify researchers say that, in addition to Pixel phones, it is possible that Showcase is embedded in other Android devices as well. Google’s Fernandez tells WIRED in the statement that “we are also notifying other Android OEMs,” meaning other original equipment manufacturers who make Android phones.
“We would have much preferred to have Google patch this before we talked about it publicly, but their inability to give a specific patch date left us no other choice,” iVerify’s Cole says. “A well-resourced adversary like a nation state could exploit this—it has the potential to be a backdoor into basically any Pixel in the world.”
Updated 1 pm ET, 8/15/2024: Added a statement from Verizon.