Who owns your shiny new Pixel 9 phone? You can’t say no to Google’s surveillance
Google's latest flagship smartphone raises concerns about user privacy and security. It frequently transmits private user data to the tech giant before any app is installed. Moreover, the Cybernews research team has discovered that it potentially has remote management capabilities without user awareness or approval.
Cybernews researchers analyzed the new Pixel 9 Pro XL smartphone’s web traffic, focusing on what a new smartphone sends to Google.
“Every 15 minutes, Google Pixel 9 Pro XL sends a data packet to Google. The device shares location, email address, phone number, network status, and other telemetry. Even more concerning, the phone periodically attempts to download and run new code, potentially opening up security risks,” said Aras Nazarovas, a security researcher at Cybernews.
Cybernews has reached out to Google about these findings. The company explains that transmissions are needed for legitimate services on all mobile devices regardless of the manufacturer.
Key takeaways
- Private information was repeatedly sent in the background, including the user’s email address, phone number, location, app list, and other telemetry and statistics.
- The phone constantly requests new “experiments and configurations,” tries accessing the staging environment, and connects to device management and policy enforcement endpoints, suggesting Google’s remote control capabilities.
- The Pixel device connected to services that were not used, nor explicit consent was given, such as Face Grouping endpoints, causing privacy and ownership concerns.
- The calculator app, in some conditions, leaks calculations history to unauthenticated users with physical access.
Methodology
Researchers used a “man-in-the-middle” approach to intercept the traffic between a new Pixel 9 Pro XL and Google’s servers.
On a brand-new phone with a new Google account and default settings, they installed the Magisk app to gain deep (root) access to the phone’s system. Researchers then proxied the inbound and outbound traffic and used a custom security certificate to decrypt and examine the communications.
Rooting the phone disables AI features such as Google Gemini Assistant, Pixel Studio, and potentially some other features. Therefore, this method did not allow for the capture of complete traffic.
The collected traffic was not modified at any point, and researchers did not manually interact with endpoints nor attempt to verify captured secrets.
The phone beams data periodically
Web traffic analysis revealed that the Pixel device continuously sends personally identifiable information (PII), such as the user’s email address, phone number, and location, to various Google endpoints, including Device Management, Policy Enforcement, and Face Grouping.
Every 15 minutes, the device sends a regular authentication request to an endpoint called ‘auth.’
The phone also requests a ‘check-in’ endpoint around every 40 minutes, listing low-level features enabled on the phone, such as the firmware version, whether connected to WiFi or using mobile data, the SIM card Carrier, and the user’s email address.
The location data is included in the request even when the GPS is disabled – the phone then relies on nearby Wi-Fi networks to estimate the location.
“The Pixel 9 Pro XL repeatedly uses PII for authentication, configuration, and logging. This practice doesn’t align with the industry’s best anonymization practices and appears excessive. The smartphone transmits the user's email address, location, and phone number, even when utilizing a variety of other identifiers for the user and the device,” Nazarovas said.
Location and other sensitive data may be integral to many of Google’s services and features, such as newly introduced Car Crash Detection.
Communicates with services without explicit consent
Another concerning observation was communication with services the user didn’t explicitly consent to.
Cybernews researchers did not open the Photos app even once, nor did they take any photos. Yet, the Pixel device periodically contacted endpoints associated with Google Photos’ Face Grouping feature without asking for consent.
“These services are especially sensitive as the endpoints are used for processing of biometric data, such as facial recognition. Since there were no photos on the test device, we did not observe any personally identifiable information being sent to these endpoints,” Nazarovas said.
Another Google feature, Voice Search, was connecting to its servers sporadically – sometimes every few minutes, sometimes it wouldn't communicate for hours.
It sent potentially excessive and sensitive data, including the number of times the device was restarted, the time elapsed since powering on, and a list of apps installed on the device, including the sideloaded ones.
Researchers only tested an account with default settings and did not check how the device would respond to any changes in privacy and security settings.
The phone constantly checks for new code to run
Google appears to have reserved some remote management and control capabilities for Pixel devices.
Most Android phones have a “CloudDPC” package built in. It is used to manage enterprise devices, such as changing security policies, remotely distributing apps, wiping data, etc.
“Worryingly, we observed CloudDPC reaching out to Google’s servers. This signals that the company may be able to control settings and perform actions on regular consumer devices if they choose to do so. It appears that users do not have full control of the device when a vendor can make changes without user knowledge and consent,” Nazarovas said.
Moreover, the Pixel device periodically calls out to a Staging environment service (‘enterprise-staging.sandbox’) and attempts to download assets that do not yet exist.
This reveals the capability of remotely installing new software packages.
“This is concerning because development and staging environments are considered less secure and private. If a malicious actor gains access to the development endpoint or spoofs it, such situations might lead to data injection and potential remote code execution on Pixel devices,” Nazarovas said.
The Pixel phone also maintained a nearly constant connection to the experiments and configurations endpoint.
The researcher noted that the experiments’ endpoint may be used for A/B testing, trying new user interface elements, or advertisement campaigns on a small subset of users for a limited time.
“All these services signal to us that the Pixel 9 Pro XL owners might be unable to reliably administrate the device or control what gets installed or deleted. During the experiment, we did not observe any harmful actions. However, the existing infrastructure could be used for remote control of the device or to install new software,” Nazarovas said.
On a positive note, not a single data packet traveled to any third parties during the observation period.
Also, the phone continuously requested Google’s servers for updates on known scam-related phone numbers, presumably for its call-screening feature. Every 24 hours, the device would rotate cryptographic keys.
Calculator leaks calculations
While using the phone, researchers observed another potentially risky aspect. When the Pixel device is locked, the calculator app is accessible through the notification tray widgets. When launched, an unrestricted version of the app reveals the calculator’s history. While not the most sensitive data, it still should not be available to any bypasser.
“We were unable to access any user data without first unlocking the device and the calculator was a single exception. It is important to note the widget in the notifications tray is not enabled by default – the user would have to manually add it to the list of shortcuts,” Nazarovas said.
Google: data transmissions needed for legitimate services
Google explains that core Play services enable key functionality on every certified Android device. Everyone can check what data is collected.
“User security and privacy are top priorities for Pixel. You can manage data sharing, app permissions and more during device setup and in your settings. This report lacks crucial context, misinterprets technical details and doesn't fully explain that data transmissions are needed for legitimate services on all mobile devices regardless of the manufacturer, model or OS, such as software updates, on-demand features and personalized experiences,” a Google spokesperson said.
The company also noted that it is difficult to recreate exact scenarios when the device is modified (rooted) – these conditions could trigger unintended data checks. In general, data transmissions are needed for legitimate services regardless of the device model, manufacturer, or even OS.
Pixel is stringent with sensitive permissions such as location, background apps, and usage data. Users need to explicitly consent to those permissions.
Conclusion
The Pixel 9 Pro XL, with a strong focus on AI features, raises the bar for innovation, offering cutting-edge capabilities and Google Assistant integration. However, it also raises some concerns about eroding user privacy and control.
“The amount of data transmitted and the potential for remote management casts doubt on who truly owns the device. Users may have paid for it, but the deep integration of surveillance systems in the ecosystem may leave users vulnerable to privacy violations,” Nazarovas said.
Cybernews researchers believe that the potential benefits outweigh the potential risks. However, as the technology evolves, it is imperative that companies ensure transparency, safeguarding, and user controls.
Google is a publicly-traded company valued at more than $2 trillion. The tech company started as a search engine and later grew into a conglomerate offering advertising services, hardware, cloud computing, e-commerce solutions, AI, and others. Recently, Google was found guilty of creating a search monopoly, and the case is ongoing.
Updated on October 9th [07:00 a.m. GMT] with a statement from Google and additional information.
Comments
What I miss in your report is a posibility to redeem control of your device.
Using an older Google Pixel smattphone I installed Graphene OS to lock out Google. According to my research Graphen OS can also be installed on Pixel 9.
Your email address will not be published. Required fields are markedmarked