Since September 2017, a notable number of Google Pixel devices around the world have had dormant software that could potentially be misused for harmful purposes, including the installation of various antivirus programs.

You might be interested in: Microsoft Fixes 90 Vulnerabilities, Including 6 Zero-Days

The root of the problem lies in a pre-installed Android app called “Showcase.apk,” which possesses excessive system-level permissions. These permissions allow remote code execution and the installation of arbitrary apps, as identified by mobile security firm iVerify.

Unsecured Configuration File Poses Risk

According to a joint investigation by iVerify, Palantir Technologies, and Trail of Bits, the app downloads a configuration file through an unsecured connection. This file can be manipulated to execute system-level code, posing a significant security risk. The app fetches this configuration file from a U.S.-based, AWS-hosted domain via an unsecured HTTP connection, making it vulnerable to tampering.

The application in question, known as Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), requires nearly thirty-dozen different permissions, including access to the user’s location and external storage. Posts on Reddit and XDA Forums confirm that this app has been available since August 2016.

Vulnerability Exploitation and Concerns

The major concern is that the app’s use of an unsecured HTTP connection for downloading the configuration file leaves the file susceptible to being altered during transmission. Although there’s no evidence of this vulnerability being exploited in real-world scenarios, it’s an alarming flaw nonetheless.

It’s crucial to note that this app wasn’t developed by Google. Instead, it’s an enterprise application created by Smith Micro, responsible for putting devices into demo mode. A Google representative clarified that this app is owned by Verizon and is required on all Android devices.

Due to this, Google Pixel smartphones are now exposed to adversary-in-the-middle (AitM) attacks, where attackers could insert malicious code into the device. Furthermore, the app doesn’t properly authenticate the domain from which it retrieves its configuration file and uses insecure default settings for certificate and signature verification, leading to potentially failed security checks.

Mitigation Measures and Google’s Response

Despite the severity of this issue, the risk is somewhat reduced by the fact that the app isn’t active by default. However, it could be activated if a threat actor gains physical access to a device and enables developer mode.

Since the app isn’t inherently harmful, most security tools might not detect it as malicious. Moreover, because the app is embedded in the system and part of the firmware, users cannot uninstall it.

Google addressed this vulnerability in a statement to The Hacker News, explaining that the issue isn’t related to the Android platform or the Pixel devices specifically, but rather to a package developed for Verizon’s in-store demo devices. Google also mentioned that the app is no longer in use and assured that a future software update would remove this feature from all supported Pixel devices. The Pixel 9 series devices do not include this app, and Google is informing other Android device manufacturers about the issue.

In summary, while the flaw is concerning, Google has taken steps to address it, and there’s currently no evidence of active exploitation.