Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Pixel problems: Google's security nightmare caused by hidden software

A vulnerability included in every version of Android for previous Google Pixel models will soon be patched, but Pixel 9 buyers don't need to worry.

The majority of Google Pixel smartphones sold from September 2017 onward have included a potentially dangerous bit of code in a hidden app. One that could be used to provide considerable access to the device by an attacker.

Security researchers from iVerify discovered an issue when a threat-detection scanner discovered an odd Google Play Store app validation on a device used by someone at Palantir. Wired reports iVerify and Palantir worked together to find and disclose the problems to Google.

The problem stems from a third-party Android package called Showcase.apk. It was developed by Smith Micro to help Verizon put store phones into a retail demo mode.

However, the app has privileges including remote code execution and remote software installation, which could be hazardous when used by an attacker.

It also has the capability of downloading a configuration file over an unencrypted HTTP web connection. This is dangerous as it could be a vector for an attacker to hijack the software and use it for their own purposes.

Though Showcase isn't in use by Verizon anymore, the APK was still included in the Android builds included on Google Pixel smartphones.

Despite the disclosure at the beginning of May, Google has yet to fix the problem, but it does intend to close the security hole. The APK is not present in any Pixel 9 devices, and Google says it will be removed from all supported Pixel devices with a software update within a few weeks.

However, while Google may be in the process of fixing the problem, iVerify believes that the Showcase app could have been embedded on other Android devices as well. Google said it is also notifying other Android producers, just in case.

The Showcase issue demonstrates the issues involved in including third-party apps or software in an operating system release. It also shows that old code can still be included despite not actively being used, and can still be an attack vector.

Android devices are also often sold with a number of preinstalled apps, or bloatware, with the common complaint that they are unwanted and often take up storage capacity.

By contrast, Apple has stopped including third-party apps in versions of iOS and iPadOS that it installs onto the iPhone and iPad. It did include the YouTube app as a preinstalled App, but it was removed in iOS 6 with Google supplying and directly managing its own app release.