Cybersecurity firm iVerify recently discovered a serious vulnerability in millions of Pixel smartphones worldwide and published the findings in a new report. According to the documentthe software in question is called Showcase.apk.
It was originally developed by the third-party company Smith Micro Software for demo devices in Verizon stores. Employees at these locations would have deep access to the many features of a Pixel phone, showing interested customers how they work. Normally, Showcase sits dormant; it does nothing. However, it’s possible for a hacker with enough experience to activate it via a backdoor.
The APK (Android Package Kit) gets its configuration file from an insecure domain on Amazon Web Services. A malicious actor could theoretically intercept these connections or impersonate the website and inject a Pixel phone with malware or spyware. Furthermore, Showcase is easy for cybercriminals to exploit because Showcase has “excessive system privileges.” endanger a target.
What’s especially scary is that Showcase has been part of the Google Pixel ecosystem since September 2017. And the worst part is that the average user can’t remove the APK via the standard uninstall process, because it’s considered a system-level app. iVerify states that “only Google can fix this.”
Repair is in progress
As bad as things are, there is some good news. First, it appears that no one, not even the bad guys, knew about the exploit. A Google spokesperson told The Washington Post that they have not seen any attacks that could be attributed to Showcase. They claimed that there is no evidence of “active exploitation” and even went so far as to suggest that such an attack would be “unlikely.”
Google is well aware of the problem. The tech giant told Forbes They are taking action “out of an abundance of caution” and plan to roll out a patch to all “supported Pixel devices on the market”. Don’t worry about the Pixel 9 series, as none of the four models have Showcase.apk.
Verizon has also been made aware of the report. They say they no longer use the Showcase feature, and the carrier has also seen no evidence of ongoing exploitation. However, like Google, Verizon is removing the feature from support for phones “out of an abundance of caution.”
Availability of patches
We reached out to Google for clarification, and the same spokesperson from earlier shared similar information, though they added that this isn’t an Android or Pixel vulnerability. Instead, the tech giant is pointing the finger at Smith Micro. They tell us that the patch for Pixel phones is rolling out within the next week, and Google is informing other Android manufacturers, implying that third-party devices could be affected by the same issue.
No word yet on when third-party Androids will get their own fix. It will likely all be at the request of the other brands.
Looking for ways to improve your device’s security? Check out Ny Breaking’s seven tips on how to keep your smartphone safe.