Verizon Pixel firmware flaw poses serious security threat

Update, August 15, 2024 (2:06 p.m. ET): Google has reached out to share its response to reports of the Showcase vulnerability, highlighting the conditions that would need to exist for a successful attack, and discussing the steps it plans to take. A spokesperson explained:

This is not an Android platform or Pixel vulnerability, this is an apk developed by Smith Micro for Verizon in-store demo devices and is no longer in use. Exploitation of this app on a user's phone requires both physical access to the device and the user's password. We have seen no evidence of active exploitation. Out of an abundance of caution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android OEMs.

Original article, August 15, 2024 (9:00 a.m. ET): Mobile security company iVerify recently discovered a significant vulnerability that could potentially affect millions of people. Pixel devices worldwide. The vulnerability was discovered in an Android application package on Pixel devices and could make them susceptible to man-in-the-middle attacks, spyware installations, and more.

It is worth noting that this package – Showcase.apk — runs at the system level and can fundamentally change the way the device’s operating system functions. Since the package was installed via unsecured HTTP protocols, cybercriminals could potentially exploit this vulnerability and hack devices.

Unfortunately, the average user can’t remove it from their device since it’s a system-level app. This puts many Pixel owners at risk, but iVerify has alerted Google to this security vulnerability and the risks it poses, so it’s likely the Mountain View tech giant will issue a patch to fix it.

The package in question appears in the firmware of retail Pixel devices sold through Verizon, and a significant number of Pixel devices have been found to have shipped with it since September 2017. iVerify believes the package was likely developed to provide a demo mode for customers, thereby improving sales of Pixel phones in Verizon stores. That said, the unintended security risks it introduces are quite significant.

Rocky Cole, co-founder and Chief Operations Officer of iVerify, said the following about the issue: “While we have no evidence that this vulnerability is being actively exploited, it has serious implications for enterprise environments, where millions of Android phones enter the workplace every day.”

The discovery of this package only underscores the need for thoughtful discussions about whether third-party apps should be included as part of the operating system. It also raises questions about the adequacy of quality assurance testing, especially when third-party apps are embedded in the firmware of retail devices. However, iVerify notes that the application package was inactive by default on most devices it tested. In order for it to function, it would have to be manually enabled.

In our testing we were able to Showcase.apk package in the Verizon firmware of the Pixel 8 Pro for retail devices. As iVerify explains, the package is not enabled by default. However, the fact that you can manually enable it makes it a potential risk, both if you accidentally enable it yourself or if a cybercriminal finds a way to enable it and compromise your device.