Last month, researchers discovered a security flaw which affected a “very large percentage” of Pixel phones. An update from Google released today fixes this vulnerability.
A few weeks ago, online security company iVerify released blog describing how the majority of Pixel phones shipped since 2017 contain software called showcase.apk. This software is not intended for consumers, but for store employees of the US telecommunications operator Verizon to demonstrate the functionality of Pixel phones.
The problem was that showcase.apk has very high system privileges and can even execute code and install software remotely. In theory, someone with bad intentions could gain access to the Amazon Web Services domain that powers the software and put malware or spyware on an unsuspecting person’s phone.
Showcase.apk is not enabled by default
Since the app was pre-installed, users could not delete it manually.
The security update released by Google removes showcase.apk entirely. The blog post doesn’t mention the name of this software, only stating that there is a “third-party APK removal patch to address the security vulnerability.”
When iVerify discovered the exploit, Google said there was no evidence that anyone had used it. However, the problem was serious enough that Palantir Technologies banned the use of Android devices.
It is important to note that iVerify found that showcase.apk is not enabled by default. “There could be multiple methods to enable it,” the report explains, but “the iVerify research team explored a method that requires physical access.”
Which pixels are affected?
This flaw would probably be quite difficult for someone to take advantage of. But still Google removes it.
The update applies to smartphones:
- Pixel 6
- Pixel 6 Pro
- Pixel 6a
- Pixel 7
- Pixel 7 Pro
- Pixel 7a
- Pixel 8
- Pixel 8 Pro
- Pixel 8a
- Pixel Fold
- Pixel tablet
The app is not pre-installed on the Pixel 9 series.