Security Concerns Surrounding Google’s Pixel Devices
A significant discovery has emerged regarding a portion of Google’s Pixel devices, which have been in circulation since September 2017. Research conducted by the mobile security firm iVerify reveals that these devices contain a dormant software component capable of facilitating malicious attacks and deploying various forms of malware.
The focal point of this issue is an Android application known as “Showcase.apk.” This app possesses extensive system privileges, allowing it to execute code remotely and install arbitrary packages on the device. According to the analysis, which was conducted in collaboration with Palantir Technologies and Trail of Bits, the application retrieves a configuration file through an unsecured connection, raising serious security concerns.
Specifically, the app downloads its configuration from a single U.S.-based, AWS-hosted domain via unsecured HTTP. This vulnerability not only exposes the configuration file but also leaves the device open to potential exploitation.
Further investigation identifies the app as Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), which has been noted to require nearly three dozen permissions, including access to location and external storage. Interestingly, discussions on platforms like Reddit and XDA Forums indicate that this package has been in existence since August 2016.
The core of the security dilemma lies in the app’s reliance on an unencrypted HTTP connection for downloading its configuration file, rather than utilizing the more secure HTTPS protocol. This oversight creates an opportunity for malicious actors to manipulate the file during its transit to the targeted device. Fortunately, there is currently no evidence suggesting that this vulnerability has been exploited in the wild.
It is important to clarify that Showcase.apk is not a product of Google; rather, it is developed by Smith Micro, an enterprise software company, specifically for demo purposes. The rationale behind embedding third-party software directly into Android firmware remains unclear. However, a representative from Google stated that the application is mandated by Verizon for all Android devices.
This situation ultimately renders Android Pixel smartphones vulnerable to adversary-in-the-middle (AitM) attacks, which could allow malicious entities to inject harmful code and spyware. The application operates with elevated privileges at the system level, yet it fails to authenticate or verify the domain from which it retrieves its configuration file. Additionally, it employs insecure default variable initialization during certificate and signature verification, leading to potential validation checks succeeding despite failures.
Despite the severity of these shortcomings, the risk is somewhat mitigated by the fact that the app is not activated by default. However, should a threat actor gain physical access to a device with developer mode enabled, they could potentially exploit this vulnerability.
iVerify has pointed out that since the app is not inherently malicious, traditional security technologies may overlook it, failing to flag it as a threat. Furthermore, being installed at the system level as part of the firmware image means that users cannot uninstall it.
In a statement to The Hacker News, Google clarified that this issue does not represent a vulnerability within the Android platform or Pixel devices themselves, but rather pertains to a package developed for Verizon’s in-store demo devices. The company also noted that the app is no longer in use.