This week should be one of celebration for Google after debuting the Pixel 9 and Pixel Watch 3 at the Made by Google event, but now, a troubling report threatens to spoil the fun. According to the cybersecurity company iVerify, “a very large percentage” of Pixel devices that have shipped since 2017 have included software that could be manipulated to hack into the phones.
As iVerify notes, its endpoint detection and response (EDR) technology uncovered an insecure Android device at Palantir Technologies earlier this year. iVerify opened a joint investigation with Palantir and Trail of Bits, and they soon discovered an Android package dubbed Showcase.apk developed by Smith Micro in the firmware.
The code of the package is intended to turn the phones into demo devices, so a store like Best Buy or Verizon can set the phone up in a display. The problem is that the package also contains high-level, entirely unnecessary system privileges, such as remote code execution and remote package installation capabilities.
“The app vulnerability leaves millions of Android Pixel devices susceptible to man-in-the-middle attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware,” said iVerify’s researchers in a report on the blog. “Cybercriminals can use vulnerabilities in the app’s infrastructure to execute code or shell commands with system privileges on Android devices to take over devices to perpetrate cybercrime and breaches.”
This is obviously an incredibly worrisome discovery, but the good news is that Google is already working on a fix for its Pixel phones.
“Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update,” Google spokesperson Ed Fernandez told The Washington Post on Thursday evening.
Better late than never, as iVerify reports that it “notified Google with a detailed vulnerability report following their 90-day disclosure process.” Palantir Technologies was even concerned enough to “remove Android devices from its mobile fleet and transition entirely to Apple devices over the next few years.” But at least a software update is coming.
