A large percentage of proprietary Google Pixel devices shipped worldwide since September 2017 included broken software that could be used to orchestrate malicious attacks and spread various types of malware.
The problem appears as a pre-installed Android app called “Showcase.apk” that has excessive system privileges, including the ability to remotely execute code and install arbitrary packages on the device, according to mobile security company iVerify.
“The application downloads a configuration file over an unsecured connection and can be manipulated to execute system-level code,” it said. said in an analysis published jointly with Palantir Technologies and Trail of Bits.
“The application retrieves a configuration file from a single domain located in the US and hosted on AWS via insecure HTTP, which leaves the configuration vulnerable and could leave the device vulnerable.”
The app in question is called Verizon Retail Demo Mode (“com.customermobile.preload.vzw”) which requires nearly three dozen different resolutions based on artifacts uploaded to VirusTotal earlier this February, including location and external storage. Messages on Reddit and XDA Forums show that the package has been around since August 2016.
The crux of the problem is that the app downloads the configuration file over an unencrypted HTTP web connection, as opposed to HTTPS, which opens up the possibility of changing it during transfer to the target phone. There is no evidence that it has ever been studied in the wild.
It should be noted that the program is not Google software. It is most likely designed by enterprise software company Smith Micro to put the device in demo mode. It’s currently unclear why the third-party software is directly built into the Android firmware, but a Google spokesperson said the app is owned by Verizon and required for all Android devices.
The end result is that it makes Android Pixel smartphones susceptible to adversary-in-the-middle (AitM) attacks, giving attackers the power to inject malicious code and spyware.
In addition to running in a highly privileged system-level context, the program “fails to authenticate or validate a statically defined domain when retrieving the application’s configuration file” and “uses insecure default variable initialization during certificate and signature validation, resulting in valid checks checks. after failure.”
However, the criticality of the flaw is somewhat mitigated by the fact that the program is not enabled by default, although this can only be done if the threat actor has physical access to the target device and developer mode is enabled.
“Because this program is not inherently malicious, it may not be detected or flagged as malicious by most security technologies, and because the program is installed at the system level and is part of the firmware image, it cannot be removed at the user level,” iVerify said.
In a statement shared with The Hacker News, Google said that this is not a vulnerability in either the Android platform or the Pixel, but is related to a package file developed for Verizon’s in-store demonstration devices. It was also said that the program is no longer in use.
“Using this app on a user’s phone requires both physical access to the device and the user’s password,” a Google spokesperson said. “We have not seen any evidence of active exploitation. Out of an abundance of caution, we’ll remove this from all supported Pixel devices with an upcoming Pixel software update. The app is not available on the Pixel 9 series devices. We are also notifying other Android OEMs.”
