Google LLC has committed to removing a dubious application found on some or all Pixel phones following a report about it representing a serious security vulnerability, be it that the severity of the vulnerability is in dispute.
A report released today by mobile device security company iVerify LLC, in conjunction with the security team at Palantir Technologies Inc., detailed the discovery of a serious Android security vulnerability that the report says affects millions of Pixel devices globally. The vulnerability makes Android accessible to cybercriminals to perpetrate man-in-the-middle attacks, malware injections and spyware installations.
The vulnerability relates to an Android app package called Showcase.apk. Per the iVerify report, the application runs at the system level and can fundamentally change the phone’s operating system. The application package is installed over unsecured HTTP protocols, opening a backdoor that makes it easy for cybercriminals to compromise the device.
The report notes that users cannot remove the app since it’s part of the firmware image and Google does not allow end-users to alter the firmware image for security reasons.
“While we don’t have evidence this vulnerability is being actively exploited, it nonetheless has serious implications for corporate environments, with millions of Android phones entering the workplace every day,” Rocky Cole, co-founder and chief operations officer of iVerify, said in a statement sent to SiliconANGLE. “Google is essentially giving CISOs the impossible choice of accepting insecure bloatware or banning Android entirely.”
The report also claimed that Google was also made aware of the vulnerability, with iVerify submitting a detailed report on what the issue is. “It’s unclear if Google will issue a patch or remove the software from the phones to mitigate the potential risks,” the report states.
Though Google has admitted that the file may cause security issues, the search giant indicated the exposure and potential security risk isn’t as widespread as it may appear.
A spokesperson from Google who spoke with CNET claims that the app was developed by Smith Micro Software Inc. for Verizon Communications Inc. and is not an Android or Pixel vulnerability. It’s also claimed that the app was only used for in-store devices and that the app is no longer being used.
Further, Google disputes the risk presented by it. “Exploitation of this app on a user phone requires both physical access to the device and the user’s password… we have seen no evidence of any active exploitation,” the spokesperson added. “Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update.”
The claims come after Google announced its latest Pixel lineup at an event on Aug. 13. Google announced a new family of Pixel 9 smartphones, along with the Pixel 9 Pro Fold, that feature the company’s artificial intelligence Gemini family of models.