Summary
- Google’s Pixel devices contain a potential security vulnerability linked to an APK with system privileges.
- The APK, which uses “Verizon Retail Demo Mode” as its user-facing name, allows cybercriminals to attack Pixel devices by downloading files over unsecured HTTP protocols.
- Google has not prioritized fixing the issue as the app is disabled by default, likely requiring physical access to the device to be enabled. However, the company says it will remove the app through an update to Pixels in the coming weeks.
A recent discovery is putting Google’s robust Pixel security claims to the test.
An APK, which has long lurked on every Pixel device since 2017, has been linked to being potentially vulnerable because of its “excessive system privileges,” which includes code execution and package installation at a remote level.
Related
Google releases second installment of zero-day exploit patch, but only for Pixel phones
The issue doesn’t just affect Pixel phones
The vulnerability was first spotted by iVerify, indicating that the software, named Showcase.apk, is the corpse of a relic app once used by Verizon for its in-store demo devices. Android Police and APKMirror founder Artem Russakovski did some digging, and found out Showcase.apk’s friendly name is Verizon Retail Demo Mode, published by the Verizon Consumer Group.
The tool has permissions to fetch configuration files over unsecured HTTP protocols, which is what all the fuss is about, leaving Pixel devices open for cybercriminals to attack. The app likely has these permissions to keep in-store demo devices up-to-date.
iVerify suggests that the APK itself is presumably safe, and it isn’t completely installed on Pixel devices, hence why you won’t be able to locate it in your app managers. That is also why “most security technology may overlook it and not flag it as malicious.” However, its system-level permissions, alongside permissions to download files over unsecured HTTP protocols, is what makes it a ticking time bomb.
Google knows of the issue
The Mobile Threat Hunting company informed Google about the vulnerability back in May, though the tech giant hasn’t acted upon it yet. It is likely that Google doesn’t have the issue as a priority because the app is disabled by default. This essentially means that a threat actor would physically have to enable the application before it can be used for wider cyberattacks, which largely defeats the purpose of a cyberattack. It is currently unknown if threat actors can somehow enable the application remotely.
“We only found a physical way of turning this on, but there might be different ways that a potential remote attacker or someone that is already on the phone with malware might turn this on and use it for privilege escalation,” said Matthias Frielingsdorf, iVerify’s vice president of research in a statement given to Wired. “For our knowledge, physical access limits the danger. If I knew a clear remote way to do this, I would not want to do public disclosure because then millions of people’s devices would be in danger.”
The unanswered question here, however, is that if the application in question is meant to be used on demo devices in Verizon stores, why does Google ship nearly all Pixel devices with it? Is it a quality control issue or just oversight?
The concern is serious enough that Palantir Technologies, a software platform company that reportedly worked alongside iVerify to identify the security issue, has decided to abandon Android in favor of Apple’s iPhones because of the discovery and Google’s laggard response.
“A well-resourced adversary like a nation state could exploit this — it has the potential to be a backdoor into basically any Pixel in the world,” said Rocky Cole, COO at iVerify and a former US National Security Agency analyst in a statement to Wired.
In a separate statement to Wired, a Google spokesperson confirmed that the application is no longer in use, and that it will be removed from all Pixel devices via a software update “in the coming weeks.”
Source link
