Recent research has uncovered a vulnerable app in the Android package on a whole bunch of Google Pixel smartphones. Devices shipped worldwide since September 2017 may be susceptible to malware deployment by malicious actors. This issue is linked to a pre-installed app called “Showcase.apk”, that is particularly used on showroom devices.
Google Pixel Phones Contain a Vulnerable Pre-Installed App
According to a recent report, Google Pixel devices shipped globally since September 2017 contain a severe vulnerability, latched within a pre-installed app. The application in question, Showcase.apk, can potentially expose millions of users to significant security risks. Researchers at iVerify discovered that this app has excessive system privileges. This enables it to remotely execute code and install arbitrary packages on the device.
Experts from other companies, including Palantir Technologies, and Trail of Bits state that the app poses considerable security risks for several reasons. First, it downloads a configuration file over an unprotected HTTP connection, making the file vulnerable to tampering. This allows attackers to execute code at the system level. The configuration file is downloaded from a single U.S.-based domain hosted on AWS, which further exacerbates the vulnerability. Also, the app is granted excessive privileges, which could have negative implications in certain scenarios, as discussed further.
Potential Exploitation Risks
The said APK file installs the Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), a program developed by Smith Micro, a company specializing in enterprise software. In short, this app is designed to switch the devices into a showroom mode. It includes switching phones into demo mode, disabling certain features to prevent tampering or locking. This app requires nearly three dozen different permissions, including access to location and external storage. While the program itself is not inherently malicious – many companies use similar functionality – its implementation is somewhat different.
The main issue is that the app’s use of an unencrypted HTTP connection makes it vulnerable to “man-in-the-middle” (MitM) attacks. This could allow attackers to eavesdrop on the transferred data and inject their own Internet packages on the fly. This obviously opens gates to malicious code or spyware installation to the attacked device.
The good news is that the app is not enabled by default, meaning there is no potential attack surface unless it is activated. Despite the potential for abuse, there is currently no evidence that this vulnerability has been exploited in the wild. On the other hand, the app’s deep integration into the system firmware means users cannot uninstall it. At the same time, it could be activated if a threat actor gains physical access to the device and enables developer mode. Another possible case is when the phone may be vulnerable “out-of-box” is when one purchases a showroom stock device – large retailers often offer them at a nice discount, at the price of a used smartphone at times.
Google’s Response
Google responded to the research findings by stating that the vulnerability is not related to the Android platform or Pixel devices but rather to a package specifically developed for Verizon demo devices in stores. Additionally, Google emphasized that exploiting this app would require both physical access to the device and the user’s password. The company also noted that the app is not present on the latest Pixel 9 series devices and confirmed that it will be removed from all supported Pixel devices in a future software update. Showroom devices may need this software (or its equivalents) installed manually.
