SAN FRANCISCO — Google’s master software for some Android phones includes a hidden feature that is insecure and could be activated to allow remote control or spying on users, according to a security company that found it inside phones at a U.S. intelligence contractor.
The feature appears intended to give employees at stores selling Pixel phones and other models deep access to the devices so they can demonstrate how they work, according to researchers at iVerify who shared their findings with The Washington Post.
The discovery and Google’s lack of explanation alarmed the intelligence contractor, data analysis platform vendor Palantir Technologies, to the extent that it has stopped issuing Android phones to employees, Palantir told The Post.
“Mobile security is a very real concern for us, given where we’re operating and who we’re serving,” Palantir Chief Information Security Officer Dane Stuckey said. “This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally.”
The security company said it contacted Google about its findings more than 90 days ago and that the tech giant has not indicated whether it would remove or fix the application.
On Wednesday night, Google told The Post that it would issue an update to remove the application. “Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update,” said company spokesperson Ed Fernandez. He said distributors of other Android phones would also be notified.
The application, called Showcase.apk, is normally dormant. But iVerify was able to enable it on a device in its possession, and the company believes skilled hackers could also enable it from afar. It cannot be removed from phones through the normal uninstall process.
When active, the application downloads instructions from a site hosted on Amazon Web Services. But it tries to connect to an insecure web address beginning with “http” instead of the more secure “https”, so that those calls could be intercepted and the site could be impersonated, with malicious spying instructions sent instead. Http sites are so risky that Google’s Chrome browser warns visitors that they are not secure.
“The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level,” iVerify wrote in a draft of a summary report to be published Thursday. The full 40-page analysis was aided by Palantir and Trail of Bits, an established security company affiliated with iVerify.
“The app vulnerability leaves millions of Android Pixel devices susceptible to man-in-the-middle attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware,” iVerify wrote.
The researchers said the automatic installation of the Showcase app raised similar questions to those presented by the global failure of Windows computers running CrowdStrike security software last month. Like other security programs, CrowdStrike is embedded deep within Windows, so that a programming or configuration mistake can cause much greater damage than just a crash of CrowdStrike’s program itself.
Google’s Fernandez said the company had not seen any hacking through Showcase and suggested it would be unlikely.
The software was made “for Verizon in-store demo devices and is no longer being used,” he said. “Exploitation of this application on a user phone requires both physical access to the device and the user’s password.”
Stuckey said he was especially bothered that Showcase is included in the Google-made Pixel phones. Android models manufactured by Samsung and other phone companies sometimes lag behind when it comes to installing security updates issued by Google.
Since Google has direct control of Pixels, it installs such updates immediately.
“It’s really quite troubling. Pixels are meant to be clean,” Stuckey said. “There is a bunch of defense stuff built on Pixel phones.”
IVerify said the application appeared to have been crafted by a Pennsylvania company called Smith Micro Software, which writes software packages for remote access and parental control tools. Smith Micro did not respond to an email sent Wednesday afternoon.