Google's flagship smartphone line, the Pixel promotes safety as a key featureoffers guaranteed software updates for seven years and runs on stock Android, which is supposed to be free of third-party add-ons and bloatware. On Thursday, however, researchers from mobile device security firm iVerify published findings about an Android vulnerability that appears to have been present in every Android release for the Pixel since September 2017, and could have exposed the devices to tampering and takeover.
The issue involves a software package called “Showcase.apk” that runs at the system level and is invisible to users. The application was developed by software firm Smith Micro for Verizon as a mechanism to put phones into a demo mode for a retail store. It is not Google software. Yet it has been included in every Android release for the Pixel for years and has deep system permissions, including remote code execution and remote software installation. Even more risky, the application is designed to download a configuration file over an unencrypted HTTP web connection that, according to researchers at iVerify, could be hijacked by an attacker to take control of the application and then the victim’s entire device.
iVerify reported its findings to Google in early May, and the tech giant has yet to release a fix for the issue. Google spokesperson Ed Fernandez told WIRED in a statement that Showcase is “no longer being used” by Verizon, and that Android will remove Showcase from all supported Pixel devices with a software update “in the coming weeks.” He added that Google has seen no evidence of active exploitation and that the app is not present in the new Pixel 9 series devices that Google announced this week. Verizon and Smith Micro did not respond to WIRED's requests for comment prior to publication.
“I’ve seen a lot of Android vulnerabilities, and this one is unique and quite troubling in a few ways,” said Rocky Cole, chief operating officer of iVerify and a former National Security Agency analyst. “When Showcase.apk is running, it can take over the phone. But the code is, frankly, sloppy. It raises questions about why third-party software running with such elevated privileges so deep in the OS hasn’t been tested more deeply. It appears that Google has been pushing bloatware to Pixel devices around the world.”
Researchers at iVerify discovered the application after the company’s threat detection scanner flagged an unusual validation of a Google Play Store app on a user’s device. The customer, big data analytics firm Palantir, worked with iVerify to investigate Showcase.apk and report the findings to Google. Palantir’s chief information security officer Dane Stuckey says the discovery, and what he describes as Google’s slow, opaque response, prompted Palantir to phase out not just Pixel phones but all of the company’s Android devices.
“Google embedding third-party software into Android firmware and not disclosing it to vendors or users creates a significant security risk for everyone who relies on this ecosystem,” Stuckey told WIRED. He added that his interactions with Google during the standard 90-day disclosure period “have seriously undermined our trust in the ecosystem. To protect our customers, we have had to make the difficult decision to exit Android from our business.”