iVerify, which ensures the security of mobile phones, has discovered a vulnerability in Google Pixel smartphones. According to iVerify’s a piece of third-party software with deep system access is to blame and worryingly ships with “a very large percentage of Pixel devices.” […] from September 2017″.
The issue is related to “Showcase.apk,” a piece of software developed for Verizon and used to put Pixel devices in demo mode while on display at retail stores. The software downloads a configuration file over an unencrypted web connection, which – according to Showcase’s deep penetration – could allow bad actors to perform remote code execution or remote package installation on the device.
A particularly disturbing aspect of this discovery is that Showcase cannot be deleted at the user level. Although it’s not enabled by default, iVerify said there can be multiple ways to enable the app. iVerify alerted Google to the vulnerability in May; So far, there is no confirmed evidence of its exploitation in the wild.
This was stated by the Google spokesperson o Showcase is “no longer used” by Verizon, and Google will have a software update to remove the app from all Pixel devices “in the coming weeks.” In addition, the representative said that Showcase is not on the line The devices were announced at the Made by Google event this week.