Pixel smartphones delivered with secret but inactive remote maintenance

Millions of Pixel phones have been shipped with remote maintenance software that makes them vulnerable to spyware – but only if the perpetrator has physical access to the device, enters the user's password and knows how to activate the normally invisible and inactive software, according to Google. Under these conditions, an attacker could also install any other software. The remote maintenance software is said to have been installed at Verizon's request since the Pixel phones were launched in 2017. The US mobile operator used the program for a while to demonstrate Pixel phones in its sales outlets.

Whether Android phones other than Pixel are also affected is still unclear. Active exploitation is not known. The vulnerability was discovered by the "Endpoint Detection and Response" scanner (EDR) von iVerify on a customer's cell phone. iVerify, together with the affected customer Palantir and the security company Trail of Bits, was able to trace this back to a hidden Android software package. Even though the software is no longer used, it is still present in the images of Pixel smartphones, as Trail of Bits CEO Dan Guido notes on X.

In fact, firmware images for the Pixel devices can still be downloaded from Google's official servers, which contain the priv-app directory with the aforementioned Showcase.pkg in product.img, as heise online was able to verify using the Android 14.0 image for the Pixel 8a.

According to iVerify, once activated, the application downloads a configuration file via an insecure connection, which can result in system-level code being executed. The configuration file is retrieved from a domain hosted by AWS over unsecured HTTP, which leaves the configuration and the device vulnerable to malicious code, spyware and data wiping.

The affected package is pre-installed in the firmware of Pixel devices. By default, the application is not active, but since it is part of the firmware image, millions of phones could be running this app at system level. Users cannot uninstall Showcase.apk themselves. According to Verizon, an update that removes the inactive software is in the works and will be made available to “all affected OEM manufacturers”.

GrapheneOS authors disagree

The publication of the results has been criticized by the developers of GrapheneOS, the operators of a particularly secure operating system for Pixel devices. In their opinion, this is all a marketing campaign for an overrated security application from iVerify. If no Verizon SIM is available, the operating system would not load the corresponding carrier configuration and the apps could not be executed, the account "GrapheneOS" writes on Mastodon. It can do “little more than statically scan APKs” and is “a crippled antivirus app”. Further criticism was heaped on Palantir, a “mass surveillance company that is complicit in blatant human rights violations”. According to GrapheneOS, Trail of Bits should “think about whether they want to be a partner of Palantir in building a police state with ubiquitous surveillance”.

Developed for Verizon

According to media reports, Showcase.apk comes from Smith Micro, a company that provides software for remote access, parental control and data erasure. "This is neither an Android platform nor a Pixel vulnerability," Google told Forbes. The app was developed for a demo function for stores of the US mobile phone provider Verizon, but is no longer in use. Both physical access to the device and the user's password are required to activate the app.

The function is no longer used by Verizon, nor by consumers, a company spokesperson told Forbes. Neither iVerify nor Verizon have found any evidence of the vulnerability being exploited. As a precautionary measure, the demo function will be removed from all devices.

The discovery of Showcase.apk and similar incidents show the need for greater transparency and discussion around third-party apps that are part of the operating system. Incidentally, the problem is not new - nor is it limited to Pixel smartphones: back in 2016, a person complained to Verizon that a "Verizon store demo mode app" was on his Samsung Galaxy Note 5.

(mack)