While Google unveiled an impressive range of new-generation Pixel 9 phones this week including a standard model — the Pixel 9 — and three Pro models: the Pixel 9 Pro, Pixel 9 Pro XL, and Pixel 9 Pro Fold, new reports have emerged indicating a security vulnerability in most Pixel phones sold since September 2017.
These devices feature software that can be used to covertly surveil or remotely control users’ phones, according to a new report by cybersecurity company iVerify.
The vulnerability was discovered after iVerify’s endpoint detection and response (EDR) scanner flagged an insecure Android device at Palantir Technologies, an iVerify client, reported The Verge.
After launching a joint investigation, iVerify, Palantir, and Trail of Bits discovered a hidden Android software package — Showcase.apk — across Google Pixel devices.
Showcase.apk, a third-party application was developed by a company called Smith Micro Software, according to iVerify’s report. It was apparently installed by Verizon on Pixel phones in the US.
Installing it makes them useful to show off the phone as a demo device at Verizon stores, but the same program also contains deep system privileges giving potential hackers “backdoor” access to the device.
The app was inactive by default but had to be manually enabled, the iVerify report noted. “When enabled, Showcase.apk makes the operating system accessible to hackers and ripe for man-in-the-middle attacks, code injection, and spyware,” the report reads. “The impact of this vulnerability is significant and could result in data loss breaches totaling billions of dollars.”
In response to the discovery, data-mining firm Palantir which sells surveillance products to governments and private companies, banned Android phones across the company.
“This was very deleterious of trust, to have third-party, unvetted insecure software on it,” Dane Stuckey, Palantir’s chief information security officer, told The Washington Post. “We have no idea how it got there, so we made the decision to effectively ban Androids internally.”
iVerify reportedly notified Google about the report in early May. Google had not publicly disclosed the vulnerability even though it was notified in May, nor did it release a software update to remove the problem.
Google has now stated that the software is no longer in use. Google spokesperson Ed Fernandez said the software was made “for Verizon in-store demo devices and is no longer being used,” adding that Google has “seen no evidence of any active exploitation.”
Wired has reported that Android would now remove the app from all Pixel devices “in the coming weeks.”