Affiliate links on Android Authority may earn us a commission. Learn more.
Flaw in Verizon Pixel's firmware poses serious security threat (Update: Google statement)
- Mobile security firm iVerify uncovered a significant vulnerability within the
Showcase.apkpackage on Pixel devices sold through Verizon. - This package potentially exposes millions of Pixel users to man-in-the-middle attacks, spyware, and other threats.
- The package is embedded in the firmware of Pixel devices sold through Verizon, so it cannot be uninstalled or removed by users.
This is not an Android platform nor Pixel vulnerability, this is an apk developed by Smith Micro for Verizon in-store demo devices and is no longer being used. Exploitation of this app on a user phone requires both physical access to the device and the user’s password. We have seen no evidence of any active exploitation. Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android OEMs.
Original article, August 15, 2024 (09:00 AM ET): Mobile security firm iVerify recently discovered a significant vulnerability that could potentially impact millions of Pixel devices globally. The said vulnerability was spotted within an Android application package on Pixel devices and can leave them susceptible to man-in-the-middle attacks, spyware installations, and more.
It’s worth noting that this package — Showcase.apk — runs at the system level and can fundamentally alter the way the device’s operating system functions. Since the package was installed over unsecured HTTP protocols, cybercriminals can potentially exploit this vulnerability and hack devices.
Unfortunately, since it’s a system-level app, the average user cannot uninstall or remove it from their device. This essentially leaves numerous Pixel owners at risk, but iVerify has notified Google about this security vulnerability and its associated risks, so it’s likely that the Mountain View tech giant will issue a patch to address this issue.
The package in question appears within the firmware of retail Pixel devices sold through Verizon. A substantial number of Pixel devices were found to have been shipped with it since September 2017. iVerify believes that the package was likely developed to provide customers with a demo mode, thereby enhancing sales of Pixel phones in Verizon stores. That said, the unintended security risks it presents are rather significant.
Regarding this issue, Rocky Cole, co-founder and Chief Operations Officer of iVerify, said, “While we don’t have evidence this vulnerability is being actively exploited, it nonetheless has serious implications for corporate environments, with millions of Android phones entering the workplace every day.”
The discovery of this package only underscores the need for thoughtful discussions on whether third-party apps should be included as part of the operating system. It also raises questions about the adequacy of quality assurance testing, especially when third-party apps are getting embedded within the firmware of retail devices. iVerify notes, however, that the application package was inactive by default on most devices it tested. For it to function, it would need to be manually enabled.
In our tests, we were able to locate the Showcase.apk package in the Pixel 8 Pro’s Verizon firmware for retail devices. As iVerify explains, the package is not enabled by default. However, the fact that you can manually enable it makes it a potential risk, both if you were to accidentally enable it yourself or if a cybercriminal were to find a way to enable it and hack into your device.