If you've purchased a Pixel phone between September 2017 and now, it could have a hidden app pre-installed that leaves you vulnerable to potential cyberattacks.
On Thursday, iVerify, a cybersecurity company, published a report providing details on an app pre-installed in Pixel firmware — called "Showcase.apk" — which was discovered when looking into a flagged device from Palantir Technologies, one of iVerify's clients. According to iVerify, "millions of Android Pixel phones worldwide could have this application."
Pixel phones and every other phone on the market come with pre-installed apps, so what makes this one different? Well, iVerify unearthed a major vulnerability within the app's infrastructure that cybercriminals could exploit.
What could this Pixel vulnerability cause?
The Android app appears to have been created for Verizon employees to showcase what phones could do. In a statement to The Washington Post, Google spokesperson Ed Fernandez said the software was made "for Verizon in-store demo devices and is no longer being used."
Although the app isn't enabled by default and "is not inherently malicious," iVerify isn't quick to rule out the dangerous possibilities, saying, "there might be multiple methods to enable [the app]." Fernandez, however, told The Washington Post that "Exploitation of this application on a user phone requires both physical access to the device and the user's password."
According to iVerify, the Android package Showcase.apk has "excessive system privileges." These privileges could potentially allow for "man-in-the-middle (MITM) attacks," like remote execution and installation of malicious code or spyware.
This information was enough for iVerify's client, Palantir Technologies, to ban Android devices at the company. Dane Stuckey, Palantir's CISO, told The Washington Post, “This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally.”
iVerify notified Google of this vulnerability when it was first discovered earlier this year, but in the published report overview, iVerify said, "It's unclear when Google will issue a patch or remove the software from the phones to mitigate the potential risks."
There haven't been any hacking attempts through the Showcase.apk as of now, but Fernandez told The Washington Post on Wednesday night: "Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update."
In a separate response to Wired, Fernandez specified the software update would happen "in the coming weeks," but Google has not yet provided a specific date for the update.
While this exploit doesn't appear to have been used in the wild, it's an important reminder to keep your mobile device secure at all times and be sure to download and install relevant security updates as soon as they are available.