- Verify discovered an Android package, “Showcase.apk,” with excessive system privileges, including remote code execution and remote package installation capabilities, on a very large percentage of Pixel devices shipped worldwide since September 2017
- The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level
- The application retrieves the configuration file from a single US-based, AWS-hosted domain over unsecured HTTP, which leaves the configuration vulnerable and can makes the device vulnerable
- The app vulnerability leaves millions of Android Pixel devices susceptible to man-in-the-middle (MITM) attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware
- Cybercriminals can use vulnerabilities in the app’s infrastructure to execute code or shell commands with system privileges on Android devices to take over devices to perpetrate cybercrime and breaches
- Removal of the app is not possible through a user’s standard uninstallation process, and at this time, Google has not offered a patch for the vulnerability
- It appears that Showcase.apk is preinstalled in Pixel firmware and included in Google’s OTA image for Pixel devices
- The app is not enabled by default, but there might be multiple methods to enable it. The iVerify research team investigated one method requiring physical access
Read the Full Details Here