A ‘very large percentage’ of Pixel phones have a hidden security vulnerability

Google Pixel 8a, 8 Pro, and Fold phones

Kerry Wan/ZDNET

If you have a Pixel phone, there’s a newly discovered vulnerability you should be aware of.

Security firm iVerify just published a blog about its report which details how “a very large percentage” of Pixel phones shipped since 2017 have an app with a vulnerability that leaves them “susceptible to man-in-the-middle (MITM) attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware.”

Also: How to find and remove spyware from your phone

The vulnerability in question is showcase.apk, a software package that turns a phone into a demo device for employees at Verizon stores to show off features of Pixel phones to potential customers. While it was just for Verizon employees, the software was present on almost all Pixel phones in the past 7 years.

The problem is, the application runs at the system level and has deep system privileges, even remote software installation and code execution (something iVerify notes isn’t even needed for the intended purpose).

The app receives its configuration from a single unsecured Amazon Web Services domain, meaning someone could, in theory, potentially place malware or spyware on a phone through that domain.

Since it’s preinstalled Pixel firmware, users can’t remove it through standard processes. The app isn’t enabled by default. iVerify said there might be multiple ways to enable it, but in its testing, it had to be manually enabled.

Also: Was your Social Security number leaked to the dark web? Here’s what to do first

Google says there’s no need for concern. Speaking to The Washington Post about the issue, a company representative said Verizon employees no longer use the app and that it’s not present on the new Pixel 9 series. He also said that Google had zero evidence of anyone taking advantage of this exploit.

Still, Google says it’s removing the software from Pixel devices through an upcoming software update out of an abundance of caution.

While there is no evidence that this particular vulnerability was exploited, iVerify says it’s enough of a problem that Palantir Technologies, the company that helped identify the security issue in the first place, is removing Android devices from its mobile fleet and transitioning entirely to Apple devices over the next few years. 

READ MORE HERE