A vulnerability included in every version of Android for previous Google Pixel models will soon be patched, but Pixel 9 buyers don't need to worry.
The majority of Google Pixel smartphones sold from September 2017 onward have included a potentially dangerous bit of code in a hidden app. One that could be used to provide considerable access to the device by an attacker.
Security researchers from iVerify discovered an issue when a threat-detection scanner discovered an odd Google Play Store app validation on a device used by someone at Palantir. Wired reports iVerify and Palantir worked together to find and disclose the problems to Google.
The problem stems from a third-party Android package called Showcase.apk. It was developed by Smith Micro to help Verizon put store phones into a retail demo mode.
However, the app has privileges including remote code execution and remote software installation, which could be hazardous when used by an attacker.
It also has the capability of downloading a configuration file over an unencrypted HTTP web connection. This is dangerous as it could be a vector for an attacker to hijack the software and use it for their own purposes.
Though Showcase isn't in use by Verizon anymore, the APK was still included in the Android builds included on Google Pixel smartphones.
Despite the disclosure at the beginning of May, Google has yet to fix the problem, but it does intend to close the security hole. The APK is not present in any Pixel 9 devices, and Google says it will be removed from all supported Pixel devices with a software update within a few weeks.
However, while Google may be in the process of fixing the problem, iVerify believes that the Showcase app could have been embedded on other Android devices as well. Google said it is also notifying other Android producers, just in case.
The Showcase issue demonstrates the issues involved in including third-party apps or software in an operating system release. It also shows that old code can still be included despite not actively being used, and can still be an attack vector.
Android devices are also often sold with a number of preinstalled apps, or bloatware, with the common complaint that they are unwanted and often take up storage capacity.
By contrast, Apple has stopped including third-party apps in versions of iOS and iPadOS that it installs onto the iPhone and iPad. It did include the YouTube app as a preinstalled App, but it was removed in iOS 6 with Google supplying and directly managing its own app release.
7 Comments
It's a backdoor, they probably found a better way or backed it into their OS so they're deprecating the old. Windows has backdoors that date back to the days of Windows NT, they discovered 3 backdoors because someone forgot to encrypt them, one of them was names NSA. Microsoft of course denied that they were intentional...
Absolutely nothing that you do on this phone is private. Alphabet, which owns Google, is an advertising company. They provide search, software, and hardware, and other technologies, solely as a means to spy on us. They build detailed profiles on each and every one of us, the likes of which we have never seen before. In violation of our right to privacy, they scan our emails, record our searches, videos watched, and catalogue every intimate detail about us. They sell that knowledge, as well as the access to us, to other advertisers. All this is done in the service of advertising, and making a buck. These guys would make the East German Stasi blush. And yet, governments around the world, do little to protect us from this scourge, which is far worse that the most pessimistic predictions about invasions of our privacy that I remember from the early days of the world wide web.