A significant percentage of Google Pixel devices shipped globally since September 2017 included dormant software that could be used to launch malicious attacks and distribute various types of malware.
The issue manifests itself in the form of a pre-installed Android app called “Showcase.apk” that has excessive system privileges, including the ability to execute remote code and install arbitrary packages on the device, according to mobile security firm iVerify.
“The application downloads a configuration file over an insecure connection and can be manipulated to execute system-level code,” it said in an analysis published jointly with Palantir Technologies and Trail of Bits.
“The application retrieves the configuration file from a single US-based domain hosted on AWS via an insecure HTTP protocol, which leaves the configuration vulnerable and can leave the device vulnerable.”
The app in question is called Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), and requires nearly three dozen different permissions based on artifacts uploaded to VirusTotal in early February, including location and external storage. Posts on Reddit and the XDA forums show that the package has been around since August 2016.
The crux of the issue is that the app downloads a configuration file over an unencrypted HTTP web connection, as opposed to HTTPS, which opens the door to modifying that file while it’s being transferred to the targeted phone. There’s no evidence that this method has ever been explored in the wild.
 |
| Permissions requested by the Showcase.apk application |
It should be noted that the app is not software developed by Google. It was developed by an enterprise software company called Smith Micro to put the device into demo mode. It is not yet clear why third-party software is directly integrated into the Android firmware, but, behind the scenes, a Google representative said that the app is owned by Verizon and is required on all Android devices.
The net result is that Android Pixel smartphones are vulnerable to adversary-in-the-middle (AitM) attacks, giving malicious actors the power to inject malicious code and spyware.
In addition to running in a highly privileged system-level context, the application “fails to authenticate or verify a statically defined domain when retrieving the application configuration file” and “uses an insecure default variable initialization during certificate and signature verification, resulting in valid verification checks after failure.”
That said, the criticality of the flaw is mitigated to some extent by the fact that the app is not enabled by default, although it is only possible to do so when a threat actor has physical access to a target device and developer mode is enabled.
“Because this app is not inherently malicious, most security technologies can ignore it and not flag it as malicious, and because the app is installed at the system level and part of the firmware image, it cannot be uninstalled at the user level,” iVerify said.
In a statement shared with The Hacker News, Google said that this was not a vulnerability in the Android platform or Pixel, and that it was related to a package file developed for Verizon’s in-store demo devices. It also said that the app was no longer in use.
“Exploiting this app on a user’s phone requires both physical access to the device and the user’s password,” a Google spokesperson said. “We have not seen any evidence of active exploitation. As a precaution, we will remove this app from all supported Pixel devices in the market with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android OEMs.”
/cdn.vox-cdn.com/uploads/chorus_asset/file/25517480/2023_Amazon_Fire_HD_10_Lifestyle_Press_Image_2.jpg?w=390&resize=390,220&ssl=1 "Amazon’s Fire HD 10 tablet is nearly 50% off for Prime members")
