Pixel smartphones delivered with secret but inactive remote maintenance
Pixel smartphones were delivered with remote maintenance software at Verizon's request, worldwide. When activated, it can download unsafe code.
Pixel 8
(Image: Gabo_Arts/Shutterstock.com)
Millions of Pixel phones have been shipped with remote maintenance software that makes them vulnerable to spyware – but only if the perpetrator has physical access to the device, enters the user's password and knows how to activate the normally invisible and inactive software, according to Google. Under these conditions, an attacker could also install any other software. The remote maintenance software is said to have been installed at Verizon's request since the Pixel phones were launched in 2017. The US mobile operator used the program for a while to demonstrate Pixel phones in its sales outlets.
Whether Android phones other than Pixel are also affected is still unclear. Active exploitation is not known. The vulnerability was discovered by the "Endpoint Detection and Response" scanner (EDR) von iVerify on a customer's cell phone. iVerify, together with the affected customer Palantir and the security company Trail of Bits, was able to trace this back to a hidden Android software package. Even though the software is no longer used, it is still present in the images of Pixel smartphones, as Trail of Bits CEO Dan Guido notes on X.
In fact, firmware images for the Pixel devices can still be downloaded from Google's official servers, which contain the priv-app directory with the aforementioned Showcase.pkg in product.img, as heise online was able to verify using the Android 14.0 image for the Pixel 8a.
According to iVerify, once activated, the application downloads a configuration file via an insecure connection, which can result in system-level code being executed. The configuration file is retrieved from a domain hosted by AWS over unsecured HTTP, which leaves the configuration and the device vulnerable to malicious code, spyware and data wiping.
Patch not yet available
The affected package is pre-installed in the firmware of Pixel devices. By default, the application is not active; however, as it is part of the firmware image, millions of phones could be running this app at system level. Users cannot uninstall Showcase.apk themselves. An update that removes the inactive software is in the works, according to Verizon, and will be made available to "all affected OEM manufacturers". This raises the suspicion that phones other than Pixel phones are also equipped with the insecure application.
According to media reports, Showcase.apk comes from Smith Micro, a company that provides software for remote access, parental control and data erasure. "This is neither an Android platform nor a Pixel vulnerability," Google told Forbes. The app was developed for a demo function for stores of the US mobile phone provider Verizon, but is no longer in use. Both physical access to the device and the user's password are required to activate the app.
The function is no longer used by Verizon, nor by consumers, a company spokesperson told Forbes. Neither iVerify nor Verizon have found any evidence of the vulnerability being exploited. As a precautionary measure, the demo function will be removed from all devices.
The discovery of Showcase.apk and similar incidents show the need for greater transparency and discussion around third-party apps that are part of the operating system. Incidentally, the problem is not new - nor is it limited to Pixel smartphones: back in 2016, a person complained to Verizon that a "Verizon store demo mode app" was on his Samsung Galaxy Note 5.
(mack)
