Security researchers have spotted a new vulnerability that has been affecting Google Pixel devices for several years. As revealed, an Android application package shipped with Google Pixel devices since 2017 has made them vulnerable due to unnecessary system privileges.
Google Pixel Devices Vulnerable To RCE Attacks
Researchers from iVerify have shared a detailed post highlighting a serious security vulnerability affecting Google Pixel devices. They identified an Android APK, “Showcase.apk,” pre-installed in Google Pixel since 2017, to have made the devices vulnerable to code execution attacks due to excessive system privileges.
Specifically, this APK comes pre-installed with the Pixel devices’ firmware image. Describing its background, the researchers stated,
Showcase.apk package was developed by Smith Micro, a software company operating in the Americas and EMEA that provides software packages for remote access, parental control, and data-clearing tools.
While the app isn’t malicious in itself, it exhibits a risky function, such as retrieving configuration files over an unsecure HTTP connection. That’s why the app remains unflagged by most security programs.
However, since the app runs at the system level, an adversary may exploit the APK for MiTM attacks, malicious code injection, or spyware deployment. Also, the app’s integration at the firmware level means that the end-user may not be able to manually remove it from the device.
Another aspect that adds to this app’s suspiciousness is that it has unnecessary device access, considering its purpose—to turn the device into a demo device.
The researchers have shared more details on these findings in a separate report.
Google To Address The Matter
iVerify responsibly disclosed the matter to Google and went ahead with the public disclosure after the 90-day period. It initially remained unclear if Google intends to address the flaw. However, in a recent statement, the tech giant confirmed patching this problem with future updates, clarifying that the issue isn’t a ‘vulnerability.’ According to its statement,
Exploitation of this app on a user phone requires both physical access to the device and the user’s password. We have seen no evidence of any active exploitation. Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android OEMs.
Besides, the researchers confirmed that the app is disabled by default in most devices. The threat could become real upon manually enabling the app, which is difficult for most users. With future OS updates from Google to remove the app, the vulnerability will likely not remain a threat for Google Pixel users. Nonetheless, users must ensure that they update their devices promptly as and when they receive system updates.
Let us know your thoughts in the comments.