Pixel issues: Google’s safety nightmare caused by buried software
Google Pixel 9
Pixel 9 owners don’t have to worry about a vulnerability that was present in all versions of Android for the previous Google Pixel models. Google Pixel smartphones sold since September 2017 have a potentially harmful bit of code hidden in an app. One that could give an attacker considerable access to the device. Security researchers from iVerify found an issue when a scanner for threats detected an odd Google Play Store validation on a device that was used by someone at Palantir. Wired reports that iVerify, Palantir and Google worked together to discover and disclose problems. The problem is caused by a third-party Android application called Showcase.apk. Smith Micro developed it to help Verizon convert store phones into retail demo mode. The app can be used to execute remote code and install remote software, which can be dangerous if an attacker uses it. It can also download a configuration file via an unencrypted HTTP connection. This is dangerous, as it could allow an attacker to hijack software and use it to their own ends. Verizon no longer uses Showcase, but the APK is still in the Android builds that come with Google Pixel smartphones. Google has not yet fixed the problem despite the disclosure made at the beginning May. However, it intends to close the security gap. Google has said that the APK will be removed by a software update from all Pixel devices within a few days. iVerify believes the Showcase app may have been embedded in other Android devices, even though Google is working to fix the problem. Google has also notified other Android producers in case they are affected. The Showcase issue illustrates the difficulties of including third-party software or apps in an operating system release. It also shows how old code can be included even if it is not being actively used and can be an attack vector. Android devices are often sold with preinstalled applications, or bloatware. The common complaint is that these apps are unwanted and take up storage space. Apple, on the other hand, has stopped installing third-party apps with versions of iOS or iPadOS it installs on iPhones and iPads. It included the YouTube app, but it was removed from iOS 6, with Google providing and managing its own app release.