A new report reveals that many Google Pixel phones sold over the past few years have a “Showcase” app installed that leaves open a worrying security hole, but it will be fixed soon.
Affecting nearly all Pixel phones, “Showcase” is an APK that’s been pre-loaded on Google devices for years. The app was developed by Smith Micro for Verizon and was used to launch a retail mode on the device. However, the app is pre-loaded (out of user reach) in “each Android release for Pixel,” as WIRED reports.
“Showcase” is said to have advanced system privileges including the ability to remotely install software or execute code. The app is designed to download a configuration file which, apparently, is done over an unencrypted HTTP connection that’s vulnerable to hijacking. That’s the primary fear with this app. The deep privileges that “Showcase” has within Android on Pixel devices could open the devices up to control by a malicious party through the app’s privileges.
iVerify, the firm that discovered the vulnerability, disclosed its findings to Google in May and described the problem as “unique in a few ways and quite troubling.”
For end users, the level of risk here seems minimal. While the app is pre-installed on Pixel devices, it’s disabled by default, requiring physical access to the device (and the passcode) to enable it. And, in our brief testing, there’s no easy way to access the app
Google has also acknowledged the vulnerability and confirmed that it will remove “Showcase” from Pixel devices “in the coming weeks.” Google also confirmed that the app is no longer being used by Verizon or Google, and that there’s no evidence of active exploitation of the vulnerability.
The Pixel 9 series ships without “Showcase” installed.
The vulnerability was discovered by iVerify on behalf of Palantir, a data analytics company. Google’s response to the problem, though, was considered “slow” and “opaque” and led to Palantir phasing out Pixel devices, and Android devices as a whole, within its company. Palantir’s chief information security officer said that Google’s response and the fact that the app wasn’t disclosed in the first place “severely eroded our trust in the ecosystem.”
It’s not clear if other Android devices also have “Showcase” installed, but Google is apparently “notifying other Android OEMs.”
There’s no word on exactly when “Showcase” will be removed from all “supported” Pixel devices, but it’s likely to arrive through upcoming security patches.
More on Google Pixel:
- Pixel Weather is officially coming to the Pixel Tablet
- Pixel Magnifier updated with text search, Live Transcribe adds dual-screen mode, more
- Android 14 August security patch rolling out: What’s fixed for Pixel
Follow Ben: Twitter/X, Threads, and Instagram
FTC: We use income earning auto affiliate links. More.
Comments