Since September 2017, a significant number of Google Pixel devices shipped worldwide have been found to contain dormant software capable of facilitating malicious attacks and delivering various forms of malware.
This vulnerability arises from a pre-installed Android application called “Showcase.apk“, which possesses elevated system privileges, such as the ability to remotely execute code and install arbitrary packages, as reported by mobile security firm iVerify.
Their joint analysis with Palantir Technologies and Trail of Bits explains that “the application fetches a configuration file via an unencrypted connection, making it susceptible to manipulation for system-level code execution.”
The configuration file is retrieved from a U.S.-based AWS-hosted domain using unsecured HTTP, leaving both the file and the device exposed to potential compromise.
The app in question, known as Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), requires nearly 36 different permissions, including access to location and external storage, based on samples uploaded to VirusTotal in February. Discussions on Reddit and XDA Forums indicate the app has been in circulation since August 2016.
The key issue stems from the app downloading a configuration file over an unencrypted HTTP connection rather than HTTPS, exposing it to potential tampering during transmission. However, no evidence has surfaced that this vulnerability has been exploited in the wild.
It’s important to clarify that the app in question isn’t developed by Google. Instead, it was created by an enterprise software company called Smith Micro to enable demo mode on devices. The reason third-party software is embedded directly into Android firmware remains unclear, though a Google representative, speaking on background, indicated that the app is required by Verizon on all Android devices.
As a result, Android Pixel smartphones are exposed to adversary-in-the-middle (AitM) attacks, potentially allowing attackers to inject malicious code or spyware.
Despite operating with elevated system privileges, the app “fails to authenticate or verify a statically defined domain when retrieving its configuration file” and “relies on insecure default variable initialization during certificate and signature verification, leading to successful verification even after failure.”
However, the severity of this issue is somewhat mitigated by the fact that the app isn’t enabled by default. Activation would require physical access to the target device and developer mode to be turned on by a threat actor.
“Since this app is not inherently malicious, many security tools may overlook it, failing to flag it as a threat. Moreover, because it’s installed at the system level as part of the firmware, users cannot uninstall it,” iVerify explained.
In a statement to The Hacker News, Google emphasized that this issue is not an Android or Pixel platform vulnerability but rather related to a package created for Verizon in-store demo devices. Google also noted that the app is no longer in use.
“Exploiting this app on a user’s phone would require both physical access and the user’s password,” said a Google spokesperson. “We have seen no evidence of active exploitation. As a precaution, we will remove the app from all supported Pixel devices in an upcoming software update. It is not present on Pixel 9 series devices, and we are notifying other Android OEMs.”
Source: TheHackerNews