Cybersecurity firm iVerify recently discovered a serious vulnerability affecting millions of Pixel smartphones worldwide and published their findings in a new report. According to the document, the offending software in question is called Showcase.apk.
It was originally developed by third-party company Smith Micro Software for demo devices inside Verizon stores. Employees at these locations would have deep access to a Pixel phone’s many functions in order to “demonstrate how they work” to interested customers. Normally, Showcase is dormant; it doesn’t do anything. However, it is possible for a skilled-enough hacker to activate it via a backdoor.
The APK (Android Package Kit) receives its configuration file from an insecure domain on Amazon Web Services. A bad actor could, theoretically, intercept these connections or impersonate the website and inject a Pixel phone with malware or spyware. Plus, since Showcase has “excessive system privileges”, it’s easy for cybercriminals to compromise a target.
What’s particularly scary is Showcase has been a part of the Google Pixel ecosystem since September 2017. And the worst part is the average user cannot remove the APK through the standard uninstallation process as it is considered a system-level app. iVerify states “only Google can fix” this.
Fix underway
As bad as things may be, there is good news. First, it appears no one, not even the bad actors, knew about the exploit. A Google spokesperson told The Washington Post that they haven’t seen any attacks that could be attributed to Showcase. They claimed there isn’t any evidence of “active exploitation” and went as far as to suggest such an attack “would be unlikely.”
Google is well aware of the problem. The tech giant told Forbes they are taking action “out of an abundance of precaution” and planning to roll out a patch to all “supported in-market Pixel devices”. Don’t worry about the Pixel 9 series as none of the four models have Showcase.apk.
Verizon has also been made aware of the report. They state that they no longer use the Showcase function, and similarly, the carrier didn’t see any evidence of ongoing exploitation. However, like Google, Verizon is removing the function from supporting phones “out of an abundance of precaution”.
Patch availability
We reached out to Google for clarification and the same spokesperson from earlier shared similar information although they added that this isn't an Android or Pixel vulnerability. Instead, the tech giant is pointing the finger at Smith Micro. They tell us the patch for Pixel phones is rolling out within the coming week and Google is notifying other Android manufacturers, implying that third-party devices could have the same problem.
No word on when third-party Androids will receive their own fix. Presumably, it all be at the behest of the other brands.
If you're looking for ways to improve device security, check out TechRadar's seven tips on how to keep your smartphone safe.
