Your Pixel Has a Dangerous Security Vulnerability Built Into Its Firmware
Less than 48 hours after Google introduced the Pixel 9 lineup to the world , news has emerged that may put pause on the company’s celebrations: Since 2017, Pixels have been shipping with a serious security vulnerability built into their firmware that cannot be removed or patched by the user.
The news comes from iVerify, a self-described “mobile pleasure hunt,” and Palantir Technologies, a data analytics software company. iVerify announced the discovery of the vulnerability in a blog post on Thursday , warning that the security vulnerability exposes Android on Pixel phones to the risk of man-in-the-middle attacks, as well as the installation of malware and spyware.
How does this vulnerability work?
The vulnerability is linked to the Showcase.apk Android app package, which is installed on a “very high percentage” of Pixel phones. (iVerify doesn’t give an exact number, but says “millions” of Pixel devices are affected.) Showcase.apk reportedly runs in a “highly privileged context,” meaning it has permissions that allow it to affect your phone’s OS . This includes remote code execution and remote package installation capabilities, allowing remote participants to either run their own code or install their own programs on the device.
While this is what allows attackers to potentially steal your phone, they first need an entry point. This is due to the way Showcase.apk interacts with its host: the package is designed to download files over an insecure HTTP connection, which an attacker can use to gain access to your Pixel. In theory, all of this could allow attackers to plant malware and spyware on your Pixel and manipulate the OS at will.
Until the collective Pixel community went wild, there have been no reports of the vulnerability being actively exploited at this time. iVerify reports that Showcase.apk is not enabled by default and requires manual intervention to enable. iVerify was able to activate the app package, but did not disclose how they did it. While it seems likely that you would need physical access to the phone to do this, attackers could theoretically activate Showcase.apk remotely.
Where did this come from?
Why is such a suite of apps even present on so many Pixel phones? iVerify reports that Showcase.apk was developed by Smith Micro, which makes packages of parental control apps, remote access tools, and data erasers. iVerify claims that Smith Micro developed Showcase.apk as a program for Verizon to turn phones into demo devices when they are shown in a store. If you’ve ever used a smartphone at a store like Verizon, you know that the Android running on that phone is different from the Android on your personal device—that’s what programs like Showcase.apk help you do.
This is all fine for stores, but it’s unclear why the .apk package ended up on all these personal Pixel devices. Obviously, there’s no need for your Pixel to have a tool to activate “demo mode,” and there’s no reason why a program should have such elevated system privileges in the first place. This combination exposes millions of users to unnecessary risk.
In fact, Palantir says that because of this incident, they will stop using Pixel devices and will switch to Apple devices over the next few years. However, iVerify told Wired that it is possible that this issue is affecting other Android devices , and has since reached out to other Android manufacturers to alert them to the issue.
What can you do?
Unfortunately, there is nothing you can do personally to get rid of Showcase.apk, embarrassed to buy an iPhone. iVerify says this package is built into the Pixel firmware and is part of the version of Android you download directly from Google. iVerify reported the issue to Google in May, and Google told Wired that a software update would be coming that would remove Showcase.apk from Pixel phones “in the coming weeks.” Hopefully, if other Android phones have the app package, this update will be available for them as well. Google has also confirmed that no phone in the Pixel 9 lineup includes the app bundle. But for now, Showcase.apk is stuck on your Pixel until this update comes out.