Google to remove app from Pixel devices following claims that it made phones vulnerable

Google and a cybersecurity company are disputing over claims that an application on Android phones left the devices vulnerable to cyberattacks and spyware.

On Thursday, cybersecurity company iVerify published a report about an Android package called "Showcase.apk” that was installed on a large number of Pixel devices shipped around the world since September 2017. 

The Showcase.apk code runs at the system level and is designed to turn a phone into a demo device, fundamentally changing the way the operating system works, according to iVerify. 

The company said the application “leaves millions of Android Pixel devices susceptible to man-in-the-middle (MITM) attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware.”

Researchers at iVerify said they discovered the app on a device used by an employee of tech giant Palantir. 

A Palantir executive said iVerify flagged an Android device at the company earlier this year as unsecure, prompting an investigation. The Palantir spokesperson confirmed iVerify’s findings that the application package “makes the operating system accessible to hackers.”

“Palantir is completely phasing out Android devices over the next few years, owing not just to this vulnerability, but past detections, as well,” a company spokesperson said. 

Google disputed many of iVerify’s claims in response to inquiries from Recorded Future News, explaining that the issue “is not an Android platform nor Pixel vulnerability.” 

A Google spokesperson said the package was developed by remote access software company Smith Micro for Verizon, which put it on devices for in-store demos but no longer uses it. 

“Exploitation of this app on a user phone requires both physical access to the device and the user's password. We have seen no evidence of any active exploitation,” the Google spokesperson said. 

“Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android [original equipment manufacturers].”

The Google spokesperson added that the application is owned and required by Verizon on all Android devices, noting that iVerify’s report says they found no evidence that there is any way to leverage the reported vulnerabilities on devices that did not have the Showcase application enabled unless the attacker has physical access to the device and developer mode is enabled.

An executive at Verizon said they are aware of the issue but told Recorded Future News that the capability enabling in-store demos of Android devices is “no longer being used by Verizon in stores, and is not used by consumers.” 

“We have seen no evidence of any exploitation of this. Out of an abundance of precaution, Android [original equipment manufacturers] will be removing this demo capability from all supported devices,” Verizon’s spokesperson said. 

Rocky Cole, co-founder of iVerify, took issue with Google’s assessment, telling Recorded Future News that Google “made a business decision to push Verizon software to all Pixel users without giving them the ability to remove it.” 

“The idea that physical access is required to exploit the package is merely an assumption,” Cole said. “This is an Android vulnerability, regardless of what Google says.”

Part of the issue, according to iVerify, is that the application runs at the system level, potentially allowing someone to “fundamentally change the phone’s operating system.” iVerify said it sent a report about the issue to Google but was never told whether Google planned to issue a patch or remove the software. 

Researchers at iVerify said users cannot remove the app themselves and that it created an “untrusted ecosystem” forcing security leaders “to choose between the risk of allowing the bloatware to run on employees’ phones vs. banning Androids together.”

"While we don't have evidence this vulnerability is being actively exploited, it nonetheless has serious implications for corporate environments, with millions of Android phones entering the workplace every day," said Cole.

The company’s researchers believe cybercriminals could use the vulnerabilities in the app’s infrastructure to take over a device or leverage it to distribute other malicious Android packages. 

The researchers also questioned why Google needs to install a third-party application on every Pixel device “when only a very small number of devices would need the Showcase.apk.”

“On most devices iVerify researchers analyzed, the app was inactive by default and had to be manually enabled,” they said, adding that they redacted how to enable the app but warned that there “might be other ways to enable the app or situations where the app is enabled by default.”