August 16, 2024Ravie LakshmananMobile Security / Software Security

A large percentage of Google Pixel devices shipped worldwide since September 2017 contained dormant software that could be used to launch malicious attacks and spread various types of malware.

According to mobile security firm iVerify, the issue manifests in the form of a pre-installed Android app called “Showcase.apk” that comes with excessive system permissions, including the ability to remotely execute code and install arbitrary packages on the device.

“The application downloads a configuration file over an insecure connection and can be manipulated to execute system-level code,” according to an analysis published jointly with Palantir Technologies and Trail of Bits.

“The application retrieves the configuration file from a single US-based, AWS-hosted domain over unsecured HTTP, leaving the configuration exposed and potentially making the device vulnerable.”

The app in question is called Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), which requires nearly three dozen different permissions based on artifacts uploaded to VirusTotal earlier this February, including location and external storage. Posts on Reddit and XDA Forums indicate the package has been around since August 2016.

The core issue is that the app downloads a configuration file over an unencrypted HTTP web connection, as opposed to HTTPS, opening the door to modifying it during transmission to the targeted phone. There is no evidence that this has ever been investigated in the wild.

It’s worth noting that the app isn’t Google-made software. Rather, it was developed by a software company for businesses called Smith Micro to put the device into demo mode. It’s currently unclear why third-party software is built directly into the Android firmware, but behind the scenes, a Google representative said the application is proprietary and required by Verizon on all Android devices.

The end result is that Android Pixel smartphones become vulnerable to adversary-in-the-middle (AitM) attacks, giving attackers the power to inject malicious code and spyware.

In addition to running in a highly privileged context at the system level, the application “fails to authenticate or verify a statically defined domain while retrieving the application configuration file” and “uses insecure default variable initialization during certificate and signature verification, resulting in valid authentication checks upon failure.”

That said, the severity of this shortcoming is somewhat mitigated by the fact that the app is not enabled by default. However, this is only possible if a malicious actor has physical access to a target device and developer mode is enabled.

“Since this app is not inherently malicious, most security technologies will miss it and not flag it as malicious. Additionally, the app is installed at the system level and part of the firmware image, so it cannot be removed at the user level,” iVerify said.

In a statement shared with The Hacker News, Google said the vulnerability is neither an Android platform nor a Pixel one, and that it is related to a package file developed for Verizon in-store demo devices. It also said the app is no longer used.

“Exploitation of this app on a user’s phone requires both physical access to the device and the user’s password,” a Google spokesperson said. “We have not seen any evidence of active exploitation. Out of an abundance of caution, we will remove this from all supported Pixel devices in the market with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android OEMs.”