Google is removing a built-in app from its Pixel phones, more than 90 days after an intelligence agency Palantir and the mobile security company iVerify concerns expressed about a major vulnerability in the softwareGoogle said on Wednesday evening.
The application in question, Showcase.apk, was intended to help employees selling Pixel phones demonstrate features of the phones, iVerify says. But when the normally dormant app is activated, it accesses information from an Amazon Web Services site using the less secure http protocol, leaving it vulnerable to hacking.
The Pixel app vulnerability information was published on Thursday in a report from iVerify that was broadcast by Palantir and security firm Trail of Bits. Palantir said it notified Google of the issue more than 90 days ago and that the concerns had not been addressed. Palantir subsequently stopped issuing Android phones to employees due to concerns about the software’s security.
Google said in an email to CNET that the app was developed by a third party, Smith Micro for Verizon, and said it does not represent an Android or Pixel vulnerability because it was only used for in-store devices. The company said the app is no longer used.
“Exploitation of this app on a user’s phone requires both physical access to the device and the user’s password,” a Google spokesperson told CNET. “We have not seen any evidence of active exploitation. Out of an abundance of caution, we will remove this from all supported Pixel devices in the market with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android OEMs.”
News of a potential security vulnerability affecting Pixel phones comes the same week that Google introduced its new line of Pixel phones at a Made By Google event in Mountain View, California, where the company touted its new hardware line of phones, watches and earbuds, as well as AI features in its Gemini software.
“While we have no evidence that this vulnerability is being actively exploited, it has serious implications for enterprise environments, where millions of Android phones enter the workplace every day,” said Rocky Cole, co-founder and chief operating officer at iVerify, in a statement. short report of the report on Thursday. “Google is essentially giving CISOs the impossible choice of either accepting unsafe bloatware or banning Android entirely.”
iVerify said the app in question can’t be removed by users; it’s part of the firmware on Pixel phones. The app may be a problem on other non-Pixel Android devices released by Verizon that include the Showcase app.
Google said in an email that the Pixel update would be rolled out “in the coming weeks,” but didn’t give users any instructions on what they can do to protect their phones until that happens, other than to keep the phone out of the hands of hackers.
Check this out: Google Pixel 9, 9 Pro and 9 Pro XL hands-on
