A large percentage of Google’s own Pixel devices shipped globally since September 2017 included dormant software that could be used to stage nefarious attacks and deliver various kinds of malware.
The issue manifests in the form of a pre-installed Android app called “Showcase.apk” that comes with excessive system privileges, including the ability to remotely execute code and install arbitrary packages on the device, according to mobile security firm iVerify.
“The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level,” it said in an analysis published jointly with Palantir Technologies and Trail of Bits.
“The application retrieves the configuration file from a single U.S.-based, AWS-hosted domain over unsecured HTTP, which leaves the configuration vulnerable and can make the device vulnerable.”
The app in question is called Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), which requires nearly three dozen different permissions based on artifacts uploaded to VirusTotal earlier this February, including location and external storage. Posts on Reddit and XDA Forums show that the package has been around since August 2016.
The crux of the problem has to do with the app downloading a configuration file over an unencrypted HTTP web connection, as opposed to HTTPS, thereby opening the door for altering it during transit to the targeted phone. There is no evidence that it was ever exploited in the wild.
 |
| Permissions requested by the Showcase.apk app |
It’s worth noting that the app is not Google-made software. Rather it’s developed by an enterprise software company called Smith Micro to put the device in demo mode. It’s currently not clear why third-party software is directly embedded into Android firmware, but, on background, a Google representative said the application is owned and required by Verizon on all Android devices.
The net result is that it leaves Android Pixel smartphones susceptible to adversary-in-the-middle (AitM) attacks, granting malicious actors powers to inject malicious code and spyware.
Besides running in a highly privileged context at the system level, the application “fails to authenticate or verify a statically defined domain during retrieval of the application’s configuration file” and “uses unsecure default variable initialization during certificate and signature verification, resulting in valid verification checks after failure.”
That said, the criticality of the shortcoming is mitigated to some extent by the fact that the app is not enabled by default, although it’s possible to do so only when a threat actor has physical access to a target device and developer mode is turned on.
“Since this app is not inherently malicious, most security technology may overlook it and not flag it as malicious, and since the app is installed at the system level and part of the firmware image, it can not be uninstalled at the user level,” iVerify said.
In a statement shared with The Hacker News, Google said it’s neither an Android platform nor Pixel vulnerability, and that it’s related to a package file developed for Verizon in-store demo devices. It also said the app is no longer being used.
“Exploitation of this app on a user phone requires both physical access to the device and the user’s password,” a Google spokesperson said. “We have seen no evidence of any active exploitation. Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android OEMs.”
Update
“Physical access isn’t enough,” GrapheneOS maintainers said in a statement shared on X. “They would also need the user’s password. This app does not expose any attack surface to a physical attacker for that kind of threat model. It exposes no actual attack surface that’s relevant.”
“In order to enable and set up this app, you already need to have more control over the device than this app is able to provide by exploiting the insecure way it fetches a configuration file.”
(The story has been updated after publication to emphasize the fact that the app is disabled by default and that the issue cannot be trivially exploited.)
