A rather worrisome report surfaced online. It seems like many Pixel phones suffer from a major security flaw. This report comes from iVerify, who shared the findings with The Washington Post.
Many Pixel phones have a major security flaw thanks to a hidden app
Just to be clear, iVerify is a mobile threat-hunting firm, essentially. In any case, it seems like Google’s master software for Pixel phones included a feature that gave Verizon stuff considerable access to the devices. That was provided so that they could help with device demos.
This feature/app does have security flaws that cybercriminals can exploit. They can exploit them to spy on users or even remotely control their devices. Needless to say, that’s quite worrisome.
All of this seems to be done through a hidden Android app called Showcase. Smith Micro developed that app, and it has a very high level of privilege on all Pixel devices except the first-gen ones, and the last-gen ones (Pixel 9 series).
Google says that no damage can be done without physical possession and a user password
What’s even worse, iVerify suspects that other Android devices may also have that app on board. The company says that cybercriminals could access that dormant app remotely, but Google disagrees. The company claims that physical possession and a user password would be required.
When active, Showcase downloads instructions from an insecure website. That does give wrongdoers an opening to intercept data and do some serious damage.
Google will remove the app just to be safe
Do note that users cannot remove that app from their devices. However, Google will. A Google spokesperson said the following: “Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update”.
This issue was first spotted on an Android device at Palantir Technologies, an iVerify client that makes defense software solutions for the US army. Palantir CEO said the following: “Mobile security is a very real concern for us, given where we’re operating and who we’re serving”. He also added the following: “This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally”.