Millions of Google Pixel phones sold by Verizon contain a pre-installed app that poses potential security risks, according to a recent report by researchers at the cloud-based platform company iVerify. The third-party app, known as Showcase.apk, is directly embedded into the phones’ hardware and designed to put the phones in Verizon’s demo mode, though it usually remains dormant on the devices.
Due to its excessive system privileges and use of unencrypted web connections for configuration, Showcase.apk leaves the operating system and even the phone vulnerable to malicious attacks or malware downloads by hackers. While there’s no evidence hackers have exploited this weakness, Google announced that it would remove this app from current Pixel phones and not include it in future models.
What Showcase.apk Is
Created by the enterprise software company Smith Micro, Showcase.apk has come pre-installed on a large percentage of Google Pixel phones that have been shipped globally since September 2017. According to Google, Verizon owns the app and requires it to be installed on all Android devices it sells. When enabled, the app puts the device in Verizon Retail Demo Mode, which is likely used to enhance the sales of these phones in Verizon stores.
Since the app isn’t enabled or active by default, most Pixel phone users likely don’t notice its existence or have to deal with any of its potential vulnerabilities; however, the app might be able to be activated by multiple methods. Furthermore, since the app is installed at the system level, users can’t remove it from their phones by themselves and would need Google to send them a patch to remove it.
What Vulnerabilities Showcase.apk Poses
https://://gty.im/1955889674
Working with the information security team at software company Palantir Technologies, iVerify has traced the security risks Showcase.apk poses to the excessive number of system privileges it requires and the method it uses to download and install configuration files. Among the privileges the app has are remote code execution and remote package installation capabilities. Hackers can manipulate these remote capabilities to execute malicious code at a system level.
The app also downloads a configuration file from a single United States-based, AWS (Amazon Web Services)-hosted domain over an unencrypted HTTP web connection instead of a secure HTTPS one. The app also doesn’t authenticate or verify the domain when retrieving the file. This transfer method leaves the app and the Pixel phone vulnerable to man-in-the-middle (MITM) attacks, in which hackers intercept and alter the file to include malicious code and dangerous spyware.
The weaknesses in the app’s infrastructure could allow cybercriminals to run code that would grant them system privileges and take control of a user’s Pixel phone. Those criminals could then use the phone to commit various cybercrimes and data breaches. Thus far, however, the only way iVerify has determined that a cybercriminal could hack the app and take control of a user’s phone is to have physical access to the phone. They would then have to enable the app, enter developer mode, and grant Showcase.apk the necessary permissions to take over the device.
How The Companies Are Responding To This Discovery
According to iVerify, by leaving the Pixel phone’s operating system vulnerable to hackers, Showcase.apk could cause data loss breaches that cost millions of dollars. It’s certainly already cost Google some business: Palantir Technologies plans to remove all Android phones from its mobile fleet in favor of Apple devices over the next few years. In its report, iVerify notes that it’s very strange that Google installed the app on so many Pixel phones when only a few actually needed it and that the company doesn’t allow users to remove potentially dangerous apps like Showcase by themselves.
After reading the report iVerify sent to them, Google has pointed out that the Showcase.apk app and its vulnerable configuration file were developed for Verizon’s in-store demo Pixel phones and that the vulnerability shouldn’t be pinned on the Android platform or Pixel phone. They also note that a hacker would require physical access to the phone and the user’s password to exploit the app and that no examples of that happening have occurred to their knowledge. Still, out of caution, Google will be working with Verizon to send out a system update that will remove the app from all supported Pixel devices. They also say that the app is not included on Pixel Series 9 phones.
Final Thoughts
In the conclusion of their report, iVerify notes that the discovery of Showcase.apk’s vulnerabilities emphasizes that companies should be more transparent when discussing third-party apps running as part of a device’s operating system. They also say that companies need to do better testing and provide better quality assurance to ensure the safety of those apps.
Perhaps those are the best lessons to take away from this story, especially since this is far from the first time either Verizon or Google have had to rectify weaknesses in pre-installed third-party apps. Hopefully, both companies will pay more attention in the future to ensure that any third-party apps they preinstall on their devices are safe, secure, and necessary for end users.
For More Great Content
Are you desiring top-tier content that covers everything? From thrilling sports and intoxicating entertainment news to gaming tips and professional betting advice, Total Apex covers it all. Delve into our no-fluff articles to stay ahead of the game with the latest sports action, uncover the hottest trends in entertainment, and get the latest scoops in the gaming industry that will take your experiences to the next level.
Finally, our betting advice will give you a decisive edge over the competition and increase your odds of beating the books. Whether you’re looking to stay updated or gain a competitive edge, Total Apex is your one-stop shop for all things compelling and relevant. Don’t forget we cover Fantasy Sports, too!
Check out all our sites: Total Apex Sports, Total Apex Fantasy Sports, Total Apex Entertainment, Total Apex Sports Bets, and Total Apex Gaming. Out of the ashes of obscurity will rise a beast. Always remember to Respect The Hustle! Follow us on Twitter/X @TotalApexSports to stay informed.
