Hidden system application with backdoor discovered in Google Pixel smartphones

Google claims that its Pixel smartphones are characterized by increased security, because they are installed with a pure Android OS, supposedly without add-ons and third-party software. But, as cybersecurity experts from iVerify found out, all phones in the series since September 2017 have been installed with a hidden third-party application that makes them vulnerable to hacking.

We are talking about a package called Showcase.apk, which works at the system level and remains invisible to the user. It was created for the American operator Verizon by enterprise software developer Smith Micro – the application is used to put phones into demo mode in retail stores, and Google has nothing to do with it. But it’s been included in every Pixel Android release for nearly seven years now, and has deep system privileges, including remote code execution and remote installation of other software. In addition, the application allows you to upload a configuration file over an unsecured HTTP connection, which can be intercepted by a potential attacker to gain control of the application and then the entire victim’s device.

IVerify reported its discovery to Google back in early May, but the tech giant has still not solved this problem. The app is “no longer used” by Verizon and will be removed from all supported Pixel devices “in the coming weeks” with the next Android update, Google spokesman Ed Fernandez told Wired. Showcase was indeed previously used for demonstrations in retail stores, but is no longer used, Verizon confirmed. Smith Micro had no comment.

Although Showcase.apk is a dangerous vulnerability for phones, the app is disabled by default. This means that to use it for malicious purposes, a potential cybercriminal would need physical access to the victim’s phone to run the application. There is also a possibility that Showcase.apk is installed not only on Pixel phones, but also on devices from other manufacturers, iVerify said. And this was indirectly confirmed by Google’s Ed Fernandez – he said that “we are also notifying other Android OEMs.”