Less than 48 hours after Google unveiled the Pixel 9 line to the world, news broke that might put a pause to the company’s celebrations: Since 2017, Pixels have been shipping with a major security vulnerability baked into their firmware, and it can’t be removed or fixed by the user.
The news comes from iVerify, a self-described “mobile treat hunting” company, and Palantir Technologies, a software company for data analytics. iVerify announced the discovery of the vulnerability in a blog post on Thursday, warning that this security flaw puts Android on Pixel phones at risk of man-in-the-middle attacks, as well as malware and spyware installation.
How this vulnerability works
The vulnerability comes from the app package Showcase.apk on Android, which comes installed on “a very large percentage” of Pixel phones. (iVerify does not say an exact number, but does claim “millions” of Pixel devices are affected.) Showcase.apk reportedly runs in a “highly privileged context,” which means it has permissions that allow it affect the OS of your phone. This includes the abilities for remote code execution and remote package installation, which allows remote actors to either run their own code or install their own programs on the device.
While this is what allows bad actors to potentially hijack your phone, they need an entry point first. That comes from how Showcase.apk communicates with its host: The package is designed to download files over an unsecure HTTP connection, which a bad actor could take advantage of to gain access to your Pixel. Theoretically, the whole thing could allow bad actors to inject malware and spyware on your Pixel, and manipulate the OS as they see fit.
Before the collective Pixel community freaks out, there are no reports the vulnerability is currently being actively exploited. iVerify says Showcase.apk is not enabled by default, and requires manual intervention to turn on. iVerify was able to activate the app package, but will not disclose how they did so. While it seems likely you need to have physical access to the phone in order to do it, malicious users could in theory activate Showcase.apk remotely.
Where did this come from?
Why is such an app package on so many Pixel phones in the first place? iVerify says Showcase.apk was developed by Smith Micro, which makes app packages for parental controls, remote access tools, and programs for data deletion. iVerify states Smith Micro developed Showcase.apk as a program for Verizon to turn phones into demo units when displayed in-store. If you’ve ever used a smartphone in a store like Verizon, you know the Android that’s running on that phone is different than the Android on a personal device: That’s what programs like Showcase.apk help to accomplish.
That’s all fine and well for in-store units, but it’s unclear why the .apk package made its way to all these personal Pixel devices. There’s obviously no need for your Pixel to have a tool to activate “demo mode,” nor is there a reason the program should have such elevated system privileges in the first place. That combination puts millions of users at unnecessary risk.
In fact, Palantir says they are retiring their use of Pixel devices over this incident, and will be switching to Apple devices over the next few years. However, iVerify told Wired that it’s possible other Android devices are affected, and have since reached out to other Android manufactures to alert them to the issue.
What can you do?
Unfortunately, there’s nothing you can personally do to get rid of Showcase.apk, shy of buying an iPhone. iVerify says this package is baked into the Pixel’s firmware, and is part of the version of Android you download from Google directly. iVerify did disclose the issue to Google in May, and Google told Wired a software update is coming to remove Showcase.apk from Pixel phones “in the coming weeks.” Hopefully, if other Android phones have the app package, this update will be available to them as well. Google also confirmed no phone in the Pixel 9 line contains the app package. But as of this moment, Showcase.apk is stuck on your Pixel until that update hits.
