Cybersecurity firm iVerify recently discovered a serious security flaw affecting millions of Pixel smartphones worldwide and published its findings in a new report. According to the document, the software in question is called Showcase.apk.
It was originally developed by third-party developer Smith Micro Software for demo devices in Verizon stores. Employees at those locations had extensive access to a Pixel phone’s many features to “demonstrate how they work” to interested customers. Normally, Showcase is inactive; it does nothing. However, a skilled hacker can activate it via a backdoor.
The APK (Android Package Kit) gets its configuration file from an unsafe domain on Amazon Web Services. A malicious actor could theoretically intercept these connections or impersonate the website and inject a Pixel phone with malware or spyware. Additionally, because Showcase has “excessive system privileges,” it’s easy for cybercriminals to compromise a target.
What’s especially scary is that Showcase has been part of the Google Pixel ecosystem since September 2017. And worst of all, the average user can’t remove the APK through the standard uninstall process because it’s considered a system-level app. iVerify states that “only Google can fix this.”
Bug fix in progress
As bad as things are, there is good news. First, it seems that no one, not even the bad actors, knows about the exploit. A Google spokesperson said The Washington Post that they had not observed any attacks that could be attributed to Showcase. They claimed there was no evidence of “active exploitation” and even went so far as to say that such an attack was “unlikely.”
Google is well aware of the issue. The tech giant told Forbes that they are taking action “out of an abundance of caution” and plan to roll out a patch to all “supported Pixel devices on the market.” Don’t worry about the Pixel 9 series, as none of the four models have Showcase.apk.
Verizon was also informed of the report. The company says it no longer uses the Showcase feature, and the carrier hasn’t seen any evidence of ongoing exploitation either. However, like Google, Verizon is removing the feature from supported phones “out of an abundance of caution.”
Patch availability
We reached out to Google for clarification and the same spokesperson as before shared similar information, but added that this is not an Android or Pixel vulnerability. Instead, the tech giant is pointing the finger at Smith Micro. They tell us that the patch for Pixel phones will be rolled out in the coming week and Google is notifying other Android manufacturers, suggesting that third-party devices could have the same issue.
It’s not yet known when third-party Androids will receive their own fix, so presumably it’s all up to the discretion of the other brands.
If you’re looking for ways to improve device security, check out TechRadar’s seven tips to protect your smartphone.
