Pixel smartphones delivered with secret but inactive remote maintenance

Millions of Pixel phones were delivered with remote maintenance software that makes them vulnerable to spyware – but according to Google, only if the perpetrator has physical access to the device, enters the user’s password, and knows how to activate the normally invisible and inactive software. Under these conditions, an attacker could also install any other software. The remote maintenance software is said to have been installed at Verizon’s request since the Pixel phones were launched in 2017. The US mobile operator used the program for a time to demonstrate Pixel phones in its sales outlets.

Advertisement


It is still unclear whether Android phones other than Pixel are affected. Active exploitation is not known. The security vulnerability was discovered by the “Endpoint Detection and Response” scanner (EDR) by Iverify on a customer’s cell phone. iVerify, together with the affected customer Palantir and the security company Trail of Bits, was able to trace this back to a hidden Android software package. Even though the software is no longer used, it is still in the images of the Pixel smartphones, as Trail of Bits CEO Dan Guido notes on X.

In fact, firmware images for the Pixel devices can still be downloaded, which contain the Showcase.pkg in product.img under priv-app, as heise online shows based on the Images of Android 14.0 for the Pixel 8a could check.

According to Iverify, once activated, the application downloads a configuration file over an insecure connection, which can result in system-level code execution. The configuration file is retrieved from an AWS-hosted domain over unsecured HTTP, making the configuration and device vulnerable to malicious code, spyware, and data deletion.

The affected package is pre-installed in the firmware of Pixel devices. By default, the application is not active; however, since it is part of the firmware image, millions of phones could run this app at the system level. Users cannot uninstall Showcase.apk themselves. According to Verizon, an update that removes the inactive software is in the works and will be made available to “all affected OEM manufacturers”. This raises the suspicion that phones other than Pixel are also equipped with the insecure application.

According to media reports, Showcase.apk comes from Smith Micro, a company that provides software for remote access, parental controls and data erasure. “This is neither an Android platform nor a Pixel vulnerability,” Google told ForbesThe app was developed as a demo function for stores of the US mobile operator Verizon, but is no longer used. Activating the app requires both physical access to the device and the user’s password.

The function is no longer used by Verizon and consumers no longer use it, a company spokesperson told Forbes. Neither iVerify nor Verizon have found any evidence of the vulnerability being exploited. As a precautionary measure, the demo function will be removed from all devices.

The discovery of Showcase.apk and similar incidents demonstrate the need for greater transparency and discussion around third-party apps that are part of the operating system.


(mack)

source site

Related Articles