Hidden Android App Exposes Millions Of Pixel Phones To Takeover

An app intended to enable demo mode for stores has deep OS permissions.

A security vulnerability has been discovered in nearly all Google Pixel smartphones, leaving millions of users at risk.

The flaw, uncovered by researchers at mobile device security firm iVerify, stems from a hidden Android app that has been silently lurking on Pixel devices since 2017.

The company found the weakness when its security software flagged unusual activity on a device belonging to its client, data analytics giant Palantir.

A joint investigation by iVerify, Palantir and Trail of Bits identified the culprit: a pre-installed Android software package named "Showcase.apk".

Developed by enterprise software firm Smith Micro for Verizon, Showcase was originally designed to put phones into demo mode for retail stores. However, the app has been included in every Android release for Pixel phones since 2017 and has extensive system privileges, including the ability to execute remote code and install software without user consent.

Despite being turned off by default, the software could be manually enabled by an attack, opening a dangerous backdoor for potential attackers.

The app downloads configuration files over an unencrypted HTTP connection, a security lapse that attackers could exploit by to hijack the app and gain complete control of the targeted device.

Despite being notified of the vulnerability in May, Google has yet to release a patch.

While the tech giant claims the app is no longer in use by Verizon and will be removed from all supported Pixel devices in the coming weeks, the delay has raised concerns among security experts.

"I've seen a lot of Android vulnerabilities, and this one is unique in a few ways and quite troubling," Rocky Cole, chief operating officer of iVerify, told Wired.

"It raises questions about why third-party software that runs with such high privileges so deep in the operating system was not tested more deeply. It seems to me that Google has been pushing bloatware to Pixel devices around the world."

The revelation has prompted Palantir to phase out Android devices entirely, citing the vulnerability and Google's slow response as primary concerns.

"Google embedding third-party software in Android's firmware and not disclosing this to vendors or users creates [a] significant security vulnerability to anyone who relies on this ecosystem," said Dane Stuckey, Palantir's CISO.

iVerify researchers said they are withholding specific technical details to prevent malicious actors from capitalising on the flaw before a patch is released.

Google has acknowledged the issue, stating that the software was intended for Verizon stores and is no longer in use.

The company has assured the public that they have found no evidence of active exploitation and that the issue does not affect the newly released Pixel 9 series.

However, the security flaw has ignited a broader conversation about the implications of pre-installed software and the importance of timely vulnerability patching.

"The Showcase.apk discovery and other high-profile incidents, like running third-party kernel extensions in Microsoft Windows, highlight the need for more transparency and discussion around having third-party apps running as part of the operating system," iVerify said.

"It also demonstrates the need for quality assurance and penetration testing to ensure the safety of third-party apps installed on millions of devices."