Mobile phone security firm iVerify has discovered a vulnerability in Google Pixel smartphones. According to iVerify’s investigation, a piece of third-party software with deep system access is to blame, and troublingly it shipped with “a very large percentage of Pixel devices […] since September 2017.”
The issue relates to “Showcase.apk,” a bit of software made for Verizon and used to put Pixel devices in demo mode while displayed in retail stores. The software downloads a configuration file over an unencrypted web connection, which — because of Showcase’s deep access — might allow bad actors to perform remote code execution or remote package installation on the device.
The especially troubling part of this discovery is that Showcase can’t be uninstalled at the user level. And while it is not enabled by default, iVerify said there could be multiple ways to activate the software. iVerify alerted Google to the vulnerability in May; thus far there’s no confirmed evidence it’s been exploited in the wild.
A Google spokesperson told Wired that Showcase “is no longer being used” by Verizon and that Google would have a software update to remove the software from all Pixel devices “in the coming weeks.” Additionally, the rep said Showcase is not present in the line of Google Pixel 9 devices announced during the Made by Google event this week.