Google will remove a built-in app from its Pixel phone devices more than 90 days after intelligence contractor Palantir and the mobile security firm iVerify raised concerns about a major vulnerability in the software, Google said Wednesday night.
The application in question, Showcase.apk, was meant to help employees selling Pixel phones demonstrate their features, iVerify says. But when the usually dormant app is activated, it accesses information from an Amazon Web Services site using the less secure http protocol that makes it vulnerable to hacking.
The information about the Pixel app vulnerability was published Thursday in a report from iVerify that was aired by Palantir and the security company Trail of Bits. Palantir said it notified Google of the problem more than 90 days ago and its concerns were not addressed. Palantir subsequently stopped issuing Android phones to employees over concerns about the software’s security.
Google said in an email to CNET that the app was developed by a third party, Smith Micro for Verizon, and said it does not represent an Android or Pixel vulnerability as it was only used for in-store devices. The company said the app is no longer being used.
“Exploitation of this app on a user phone requires both physical access to the device and the user’s password,” a Google spokesperson told CNET. “We have seen no evidence of any active exploitation. Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android OEMs.”
The news of a potential security issue with Pixel phones comes the same week that Google introduced its new line of Pixel phones at the Made by Google event in Mountain View, California. There, the company touted its new hardware line of phones, watches and earbuds as well as AI features in its Gemini software.
“While we don’t have evidence this vulnerability is being actively exploited, it nonetheless has serious implications for corporate environments, with millions of Android phones entering the workplace every day,” Rocky Cole, co-founder and chief operating officer at iVerify, said in a brief about the report on Thursday. “Google is essentially giving CISOs the impossible choice of accepting insecure bloatware or banning Android entirely.”
iVerify said that the app in question cannot be removed by users; it’s part of the firmware of Pixel phones. The app may pose a problem on other non-Pixel Android devices that were issued by Verizon containing the Showcase app.
“This capability is no longer being used by Verizon in stores, and is not used by consumers,” a Verizon spokesperson said in an email. “We have seen no evidence of any exploitation of this. Out of an abundance of precaution, Android OEMs will be removing this demo capability from all supported devices.”
Google said in an email that the Pixel update would be released “in the coming weeks,” but did not issue any instructions to users on what they can do to protect their phones until that happens apart from keeping it out of the physical hands of hackers.
Watch this: Google Pixel 9, 9 Pro and 9 Pro XL Hands-On
link