Google Pixel Phones Have a Vulnerability That Can Give Hackers High-Level Device Access

• Cybersecurity firm iVerify found a vulnerability in Google Pixel apps that has existed since 2017 and could be affecting millions of users.
• The vulnerability was found in a pre-installed app called Showcase.apk that was used for turning on the demo mode in the device for in-store displays.
• The vulnerability has already been addressed by Google and it said that a patch is on the way.

A serious vulnerability has been discovered in a pre-installed Google Pixel app that could affect millions of users. The discovery was made by cybersecurity firm iVerify who published a complete report on it.

The vulnerability lies within a pre-installed Android app called Showcase.apk developed by Smith Micro. It was used to enable demo mode in devices for in-store display.

Initially not a part of the Android firmware, it was later embedded in it at the request of Verizon (the mobile carrier).

The app is very powerful with high system privileges. If compromised, threat actors can use it to execute remote codes or install malicious packages on the device.

However, before this app can be compromised, there needs to be an entry point. This entry point is provided by the way Showcase.apk communicates with its host.

'The application downloads a configuration file over an insecure connection and can be manipulated to execute code at the system level' - iVerify's report

In simple terms, the app retrieves its configuration file from a single US-based domain hosted on Amazon Web Services (AWS) over an unsecured HTTP connection. This insecure connection makes the files in transit vulnerable to interception, thus risking the device.

Google Is Already Working on a Fix

The vulnerability is present in many devices that have been shipped since 2017. So the total number of users at risk could be in the millions. But the good news is, a fix is already underway.

• Google has addressed the issue and said that it will soon release a patch for all supported in-market Pixel devices" in a few weeks.
• This doesn't include the Pixel 9 series because when tested, none of the four models in the series had this vulnerability.
• Verizon has also been notified about the vulnerability. Although it no longer uses the app and didn't get any evidence of ongoing exploitation, it has still decided to remove the function from all the devices it supports just to be extra safe.
• Lastly, Google also said that this isn't an issue with Pixel phones or Android. The problem lies with Smith Micro.
• So Google has also decided to notify other Android manufacturers since third-party devices might also have this problem.

The good news - so far there is no indication that the vulnerability has been exploited. It's probably because no threat actors are aware of it or because the app is not enabled by default.

But now that the news is public, let's just hope that Google's fix reaches before any malicious actor can exploit the flaw.

The post Google Pixel Phones Have a Vulnerability That Can Give Hackers High-Level Device Access appeared first on The Tech Report.