Google Pixel 9
A vulnerability that's present in every version of Android for previous Google Pixel models is being patched soon, but Pixel 9 buyers needn't worry.
The majority of Google Pixel smartphones sold since September 2017 contain a potentially malicious piece of code in a hidden app, one that could be used to grant an attacker significant access to the device.
Security researchers at iVerify discovers an issue when a threat detection scanner detected an odd validation of a Google Play Store app on a device used by someone at Palantir. Wired reports iVerify and Palantir worked together to find the issues and report them to Google.
The issue stems from a third-party Android package called Showcase.apk, which was developed by Smith Micro to help Verizon put store phones into a retail demo mode.
However, the app has privileges including remote code execution and software installation, which could be dangerous if used by an attacker.
It also has the ability to download a configuration file via an unencrypted HTTP web connection. This is dangerous because it can be a vector for an attacker to hijack the software and use it for their own purposes.
Although Showcase is no longer used by Verizon, the APK was still included in Android builds on Google Pixel smartphones.
Despite the revelation in early May, Google has not yet fixed the problem, but it does plan to close the security hole. The APK is not in any Pixel9 Google says it will be removed from all supported Pixel devices via a software update within a few weeks.
While Google is working to fix the issue, iVerify believes the Showcase app could be embedded on other Android devices as well. Google said it is also notifying other Android manufacturers, just in case.
The Showcase issue highlights the problems associated with including third-party apps or software in an operating system release. It also shows that old code can still be included, even if it is not actively used, and can still be an attack vector.
Android devices are often sold with a number of pre-installed apps, also known as bloatware. It is often complained that these are unwanted and take up a lot of storage space.