Millions of Pixel Devices at Risk Due to Pre-installed App

Why Trust Techopedia
Key Takeaways

  • Millions of Pixel devices shipped over the last seven years include a significant vulnerability.
  • The "Showcase.apk" app comes pre-installed on many Pixel devices.
  • No evidence of active exploitation, but there is a risk of adversary-in-the-middle (AitM) attacks.

Since September 2017, millions of Google Pixel devices have been shipped with a significant vulnerability that could potentially leave them open to dangerous cyberattacks. 

This flaw lies within a pre-installed Android app that, if exploited, could enable malicious actors to deliver a wide array of malware and execute harmful code, putting users’ data and privacy at risk.

The vulnerability stems from an Android app known as “Showcase.apk,” which comes pre-installed on a substantial number of Pixel devices. This application, according to mobile security firm iVerify, possesses excessive system privileges, including the ability to execute code remotely and install arbitrary packages on the device.

“The application downloads a configuration file over an insecure connection and can be manipulated to execute code at the system level,” stated iVerify in a detailed analysis conducted in collaboration with Palantir Technologies and Trail of Bits. 

The report highlights that the app retrieves its configuration file from a single US-based domain hosted on Amazon Web Services (AWS) over an unsecured HTTP connection. This insecure transmission leaves the configuration file vulnerable to interception and manipulation, thus endangering the device.

Verizon Demo Mode App Poses Security Risk

The Verizon Retail Demo Mode app, identified as “com.customermobile.preload.vzw,” is pre-installed on many Google Pixel devices. This app demands nearly three dozen permissions, including access to location data and external storage. Its presence dates back to at least August 2016.

Permissions requested by the Showcase.apk app
Permissions requested by the Showcase.apk app

The main issue lies in the app downloading its configuration file via an unencrypted HTTP connection instead of HTTPS. This lack of encryption allows potential attackers to intercept and modify the file, potentially injecting malicious code.

  • Nearly 36 permissions required
  • Unencrypted HTTP connection vulnerable to attacks
  • Present since August 2016

Though there’s no evidence of active exploitation, this vulnerability remains a significant risk for affected devices.

Not Google’s Software: The Role of Third-Party Developers

The “Showcase.apk” app, which is not developed by Google, was created by Smith Micro to enable demo mode on devices for in-store displays. Despite this, it was embedded directly into the Android firmware of Google Pixel devices at Verizon’s request.

This third-party software makes Google Pixel smartphones vulnerable to adversary-in-the-middle (AitM) attacks. In such attacks, a malicious actor could intercept communications between the device and the server, injecting harmful code or spyware. Due to the app’s high system-level privileges, this vulnerability could allow attackers significant control over the compromised device.

The Technical Weaknesses: Exploiting System-Level Privileges

The “Showcase.apk” app has several technical weaknesses that heighten the security risks:

  • Fails to authenticate or verify a statically defined domain during configuration file retrieval
  • Uses insecure default variable initialization during certificate and signature verification
  • Potentially allows attackers to bypass security mechanisms

While these flaws make the app vulnerable, the risk is somewhat reduced because the app isn’t enabled by default. To exploit it, an attacker would need physical access to the device and would have to enable developer mode.

Google’s Response: Addressing the Vulnerability

Google responded to the vulnerability findings with the following clarifications:

  • The issue is not a flaw in the Android platform or specific to Pixel devices.
  • The vulnerability relates to a package developed for Verizon’s in-store demo devices.
  • Exploitation requires physical access to the device and the user’s password.
  • No evidence suggests active exploitation of this vulnerability.

Action Steps:

  • Google will remove the app from all supported Pixel devices in an upcoming software update.
  • The app is not present on Pixel 9 series devices.
  • Google is notifying other Android OEMs to address the issue as well.

This incident highlights the ongoing challenges of securing mobile devices in a complex digital ecosystem. The presence of third-party software within Google Pixel’s firmware emphasizes the need for rigorous security testing and vetting processes.