Skip to main content

Google will remove a carrier app from Pixel phones that left a ‘troubling’ security hole

A new report reveals that many Google Pixel phones sold over the past few years have a “Showcase” app installed that leaves open a worrying security hole, but it will be fixed soon.

Affecting nearly all Pixel phones, “Showcase” is an APK that’s been pre-loaded on Google devices for years. The app was developed by Smith Micro for Verizon and was used to launch a retail mode on the device. However, the app is pre-loaded (out of user reach) in “each Android release for Pixel,” as WIRED reports.

“Showcase” is said to have advanced system privileges including the ability to remotely install software or execute code. The app is designed to download a configuration file which, apparently, is done over an unencrypted HTTP connection that’s vulnerable to hijacking. That’s the primary fear with this app. The deep privileges that “Showcase” has within Android on Pixel devices could open the devices up to control by a malicious party through the app’s privileges.

iVerify, the firm that discovered the vulnerability, disclosed its findings to Google in May and described the problem as “unique in a few ways and quite troubling.”

For end users, the level of risk here seems minimal. While the app is pre-installed on Pixel devices, it’s disabled by default, requiring physical access to the device (and the passcode) to enable it. And, in our brief testing, there’s no easy way to access the app

Google has also acknowledged the vulnerability and confirmed that it will remove “Showcase” from Pixel devices “in the coming weeks.” Google also confirmed that the app is no longer being used by Verizon or Google, and that there’s no evidence of active exploitation of the vulnerability.

The Pixel 9 series ships without “Showcase” installed.

The vulnerability was discovered by iVerify on behalf of Palantir, a data analytics company. Google’s response to the problem, though, was considered “slow” and “opaque” and led to Palantir phasing out Pixel devices, and Android devices as a whole, within its company. Palantir’s chief information security officer said that Google’s response and the fact that the app wasn’t disclosed in the first place “severely eroded our trust in the ecosystem.”

It’s not clear if other Android devices also have “Showcase” installed, but Google is apparently “notifying other Android OEMs.”

There’s no word on exactly when “Showcase” will be removed from all “supported” Pixel devices, but it’s likely to arrive through upcoming security patches.

More on Google Pixel:

Follow Ben: Twitter/XThreads, and Instagram

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Schoon Ben Schoon

Ben is a Senior Editor for 9to5Google.

Find him on Twitter @NexusBen. Send tips to schoon@9to5g.com or encrypted to benschoon@protonmail.com.


Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications