A “very large percentage of Pixel devices” shipped worldwide since September 2017 have an app called “Showkase.apk” installed, which potentially allows hackers to install malware, Cybersecurity company iVerify claims.
The Showcase.apk package was developed by software company Smith Micro and was designed to demonstrate the capabilities of Pixel and other Android devices in Verizon stores.
iVerify’s endpoint detection and response first flagged the device at software solutions and big data analytic provider Palantir Technologies, which prompted it to start an investigation.
The investigation revealed that Showcase.apk, which is part of the firmware and can not be removed from the phone by a user, downloads a configuration file over unsecured HTTP from a site hosted on Amazon Web Services.
It allows the app to execute system commands or modules that could open a backdoor, making it easy for cybercriminals to compromise the device, the report claims.
The app vulnerability leaves millions of Android Pixel devices susceptible to man-in-the-middle attacks, allowing cybercriminals to inject malicious code and dangerous spyware.
Google to remove the app
iVerify says it contacted Google about the vulnerability 90 days ago, but the issue hasn’t been addressed.
However, on Wednesday night, Google responded to queries from several media outlets, including The Washington Post, saying it would issue an update to remove the app and note other Android distributors.
According to the company, this application can be exploited on a user's phone only with physical access to the device and the user’s password.
It also stated that there is currently no news of hackers exploiting this vulnerability.
iVerify claims that the vulnerability could have a significant impact, resulting in data loss breaches totaling billions of dollars and possibly affecting millions of users. Since this app is not inherently malicious, most security technology may overlook it and not flag it as malicious.
Due to potential exploits, Palantir Technologies, which has a significant percentage of government contractors in its portfolio, is switching its Pixel devices to iPhones.
Your email address will not be published. Required fields are markedmarked