Cybersecurity firm iVerify has discovered a security vulnerability that could affect Pixel owners globally due to a third-party app that has deep system-level access to the devices. They have described it as “a serious security vulnerability that impacts Pixel devices globally… leaving millions of devices susceptible to man-in-the-middle (MITM) attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware.”
The app in question is called Showcase.apk and was used by Verizon stores to demonstrate features on devices. It was developed by Smith Micro Software and has been part of the Google software ecosystem since 2017. Because it is integrated so deeply within Google’s ecosystem, it cannot be uninstalled by users. According to iVerify, “only Google can fix this.”
In their report, iVerify outlines why this is a problem. “The application runs at the system level and can fundamentally change the phone’s operating system. Since the application package is installed over unsecured HTTP protocols, this opens a backdoor, making it easy for cybercriminals to compromise the device.”
The severity of this security risk is such that iVerify co-founder and COO Rocky Cole has stated that it “has serious implications for corporate environments, with millions of Android phones entering the workplace every day. Google is essentially giving CISOs the impossible choice of accepting insecure bloatware or banning Android entirely.”
Are Pixel users at risk of cyberattacks?
However, there is no evidence at present that this vulnerability has been or is being exploited, and the hope is that after iVerify’s report, Google will resolve the issue.
Google has confirmed to Forbes that although there is “no evidence of any active exploitation,” they will be taking action, stating “out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update.” They have also confirmed that Google Pixel 9 devices will not have the app installed.
Despite iVerify saying that only Google can resolve this issue, Google was quick to deflect blame, reflecting it back to Smith Micro, the originators of the software:
“This is not an Android platform nor Pixel vulnerability, this is an apk [android package kit] developed by Smith Micro for Verizon in-store demo devices and is no longer being used. Exploitation of this app on a user phone requires both physical access to the device and the user’s password.”
At present, there is nothing that Pixel users can do to specifically protect from this vulnerability and risk of cyberattack. Just be sure to update your phone whenever it prompts you, to ensure you don’t miss the update that removes the apk.
Featured image credit: Google