Recent research revealed a vulnerability in the Android package of many Google Pixel smartphones. Devices shipped globally since September 2017 could be at risk of malware due to a pre-installed app named “Showcase.apk,” commonly used on showroom devices.
Google Pixel Phones Have Vulnerable Pre-Installed App
A recent report reveals that Google Pixel devices shipped since September 2017 have a serious vulnerability due to a pre-installed app, Showcase.apk. Discovered by iVerify, this app has excessive system privileges, enabling remote code execution and arbitrary package installation.
Experts from Palantir Technologies and Trail of Bits highlight additional risks, including the app’s use of an unprotected HTTP connection to download a tamperable configuration file from a single U.S.-based AWS domain, further amplifying the vulnerability.
The APK file installs Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), created by Smith Micro, which puts devices into showroom mode. This mode is used to demo phones in stores and restricts certain features to prevent tampering. The app needs many permissions, including access to location and storage.
Although the app itself is not harmful, it has a major flaw: it uses an unencrypted HTTP connection. This makes it vulnerable to “man-in-the-middle” attacks, where attackers can intercept the data being transferred and inject malicious code or spyware into the device.
The APK file installs Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), made by Smith Micro, which puts phones into a demo mode for stores and limits certain features to prevent tampering. The app needs many permissions, such as access to location and storage.
While the app isn’t harmful by itself, it has a big problem: it uses an unencrypted HTTP connection. This makes it easy for attackers to intercept and alter the data being sent, potentially inserting harmful code or spyware into the device.
Google’s Response
Google said the issue is with an app for Verizon demo devices, not the Android system or Pixel phones. To exploit it, someone would need physical access and the user’s password. The app won’t be on the new Pixel 9 series and will be removed from older devices in a future update. Showroom devices may still need it installed manually.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment