Cybersecurity firm iVerify recently discovered a serious vulnerability affecting millions of Pixel smartphones worldwide and published its findings in a new report. According to the document, the software in question is called Showcase.apk.
Showcase was originally developed by independent firm Smith Micro Software for demonstration devices inside Verizon stores. Employees at these locations would have deep access to a Pixel phone’s many features in order to “demonstrate how they work” to interested customers. Normally, Showcase sits dormant; it doesn’t do anything. However, it’s possible for a skilled enough hacker to activate it through a backdoor.
The APK (Android Package Kit) receives its configuration file from an insecure domain on Amazon Web Services. In theory, a malicious actor could intercept these connections or impersonate the website and inject malware or spyware onto a Pixel phone. Additionally, since Showcase has “excessive system privileges,” it’s easy for cybercriminals to compromise a target.
What's particularly scary is that Showcase has been part of the Google Pixel ecosystem since September 2017. And the worst part is that the average user can't remove the APK through the standard uninstall process, as it's considered a system-level app. iVerify claims that “only Google can fix” this.
Repair in progress
As bad as things are, there is good news. First, it appears that no one, not even the malicious actors, knew about the exploit. A Google spokesperson told The Washington Post that they have not seen any attacks that can be attributed to Showcase. They said there is no evidence of “active exploitation” and went so far as to suggest that such an attack “would be unlikely.”
Google is well aware of the issue. The tech giant told Forbes that they are taking steps “out of an abundance of caution” and plan to roll out a patch to all “compatible Pixel devices in the market.” Don’t worry about the Pixel 9 series, as none of the four models have Showcase.apk.
Verizon has also been informed of the report. They claim they no longer use the Showcase feature, and similarly, the carrier saw no evidence of continued exploitation. However, like Google, Verizon is removing the feature from compatible phones “out of an abundance of caution.”
Patch availability
We reached out to Google for clarification, and the same spokesperson from earlier shared similar information, though added that this isn’t an Android or Pixel vulnerability. Instead, the tech giant is pointing the finger at Smith Micro. We’re told that the patch for Pixel phones will be rolling out within the next week, and that Google is notifying other Android manufacturers, implying that third-party devices could be experiencing the same issue.
It is not known when third-party Android devices will receive their own solution. Presumably, it will all be at the initiative of the other brands.
If you're looking for ways to improve your device's security, check out TechRadar's seven tips on how to keep your smartphone safe.