Pixel 2 and later phones banned at a company after dangerous uninstallable app was discovered
The majority of Pixel 2 and later Google phones contain a feature that cybercriminals can exploit to snoop on a user or remotely control their devices, per mobile threat hunting firm iVerify.
iVerify shared its findings with The Washington Post, which reports that Google's master software for Pixel phones included a feature that gave Verizon sales staff deep access to the devices to help with demos.
This feature has security flaws. This came to light after Verify’s endpoint detection and response (EDR) scanner revealed an insecure Android device at Palantir Technologies, an iVerify client that makes defense software solutions for the US army.
When the matter was investigated by iVerify, Palantir, and Trail of Bits, it was discovered that Google's Pixel devices contained a hidden Android app called Showcase, developed by software maker Smith Micro. For a third-party app, it has a disturbingly high level of privilege
Showcase is an otherwise dormant app that can be enabled by cybercriminals remotely, though Google denies that and says physical possession and user password would be required for exploitation of the app.
When Showcase is active, it downloads instructions from an insecure website. Hackers can intercept the data that is transmitted and even send malicious spying instructions instead.
It cannot be deleted from phones by users, which means millions of Pixel devices out there are susceptible to man-in-the-middle attacks.
Given the nature of what Palantir does, it immediately banned Android devices at its offices. The company shared the findings with Google 90 days ago and the search giant told The Washington Post today that it would roll out an update in the coming weeks to remove the application. Google spokesperson Ed Fernandez also said that he wasn't aware of any device getting hacked through Showcase and that it would be unlikely.
iVerify shared its findings with The Washington Post, which reports that Google's master software for Pixel phones included a feature that gave Verizon sales staff deep access to the devices to help with demos.
When the matter was investigated by iVerify, Palantir, and Trail of Bits, it was discovered that Google's Pixel devices contained a hidden Android app called Showcase, developed by software maker Smith Micro. For a third-party app, it has a disturbingly high level of privilege
iVerify researchers suspect that other Android devices may also have the app.
Showcase is an otherwise dormant app that can be enabled by cybercriminals remotely, though Google denies that and says physical possession and user password would be required for exploitation of the app.
When Showcase is active, it downloads instructions from an insecure website. Hackers can intercept the data that is transmitted and even send malicious spying instructions instead.
It cannot be deleted from phones by users, which means millions of Pixel devices out there are susceptible to man-in-the-middle attacks.
Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update.
Ed Fernandez, Google spokesperson, August 2024
Mobile security is a very real concern for us, given where we’re operating and who we’re serving. This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally.
Dane Stuckey, Palantir CEO, August 2024
Things that are NOT allowed: