Google’s flagship Pixel smartphone series touts security as a top feature, guaranteeing seven years of software updates and running stock Android with no third-party add-ons or bloatware. But researchers at mobile device security company iVerify on Thursday published the findings of an Android vulnerability that appears to have been present in every Android release for Pixel since September 2017, potentially leaving the devices vulnerable to manipulation or hijacking.
The issue is related to a software package called “Showcase.apk” that runs at the system level and is invisible to the user. The application was developed by enterprise software company Smith Micro for Verizon as a mechanism to put phones into demo mode in retail stores; it is not Google software. However, the application has been included in every Android release for Pixel for years and has advanced system privileges, including remote code execution and remote software installation. Even more dangerous, the application is designed to download a configuration file over an unencrypted HTTP web connection, which iVerify researchers say could allow an attacker to hijack it and take control of the application, and potentially the entire device of the victim.
iVerify disclosed its findings to Google in early May, but the tech giant has yet to release a fix for the issue. In a statement to WIRED, Google spokesman Ed Fernandez said “Showcase is no longer used by Verizon” and that Android plans to remove Showcase from all supported Pixel devices in a software update “in the coming weeks.” He added that Google has not seen any evidence of active abuse and that the app is not included on the new Pixel 9 series devices that Google announced this week. Verizon and Smith Micro did not respond to WIRED’s requests for comment before publication.
“We’ve seen a lot of Android vulnerabilities, but this one is unique in several ways and extremely troubling,” said Rocky Cole, chief operating officer at iVerify and a former National Security Agency analyst. “When Showcase.apk is executed, it has the ability to take over the phone, but frankly, the code is shoddy. It makes me wonder why third-party software that runs deep within the OS with such high privileges wasn’t tested more thoroughly. It seems to me like Google is just forcing bloatware onto Pixel devices around the world.”
iVerify researchers discovered the app after the company’s threat detection scanner reported unusual verifications of the Google Play Store app on users’ devices. A client, big data analytics firm Palantir, worked with iVerify to investigate Showcase.apk and reported its findings to Google. Dane Stuckey, Palantir’s chief information security officer, said the discovery, and what he called Google’s slow and opaque response, led Palantir to phase out not only Pixel phones, but all Android devices across the company.
“Google’s decision to embed third-party software into Android’s firmware and then not disclose it to vendors or users creates significant security vulnerabilities for everyone who relies on this ecosystem,” Stuckey told WIRED, adding that his dealings with Google through the standard 90-day disclosure period “severely eroded trust in the ecosystem, and we had to make the difficult decision within our enterprise to move away from Android to protect our customers.”
