Google Pixel phones were shipped with an application that could potentially be misused by hackers to spy on users’ smartphones, an investigation by three security companies has revealed. A hidden Android package on the company’s handsets that was used to demonstrate features at a US telecommunications firm’s stores contains a security vulnerability, according to security firm iVerify. Google has reportedly confirmed that the application in question, which is inactive by default, will be removed from Pixel phones in the future.
Google Pixel Phones Shipped With Vulnerable ‘Showcase’ Application
According to a report by cybersecurity firm iVerify, an insecure smartphone was detected at one of its clients, Palantir Technologies. When the handset in question was inspected, the security firm found an application called Showcase that was preinstalled on all Pixel phones.
The Showcase application was created by a firm to enable demos for Google Pixel phones at Verizon stores in the US, according to the company. While the vulnerable application is preinstalled on all of Google’s smartphones sold since 2017, it is not enabled by default. Meanwhile, Gadgets 360 was unable to locate the Showcase app on the Pixel 8 review unit sent by the company.
The Showcase app runs at the system level, which allows it a greater level of access to a user’s phone compared to applications installed via the Play Store. It is unclear why Google shipped an application on all Pixel phones, instead of including it on models that were required for in-store demos in the US.
While Pixel smartphones are widely considered to be some of the most secure Android phones, the vulnerability — if enabled — could allow attackers to perform a man-in-the-middle (MITM) attack, inject malicious code and execute it, or even run spyware on a user’s phone, according to iVerify. The security firm states that Palantir now plans to phase out Android smartphones and transition to iPhone models over the coming years.
The security firm states that it provided Google with a vulnerability report as part of the latter’s 90-day disclosure process, but did not receive a response from the company. In a statement to the Verge, a Google spokesperson said that the company had “seen no evidence of any active exploitation” of the Showcase app and that would be removed from all Pixel smartphones “in the coming weeks”.