Google to Remove Potentially Risky App from Pixel Devices Following Security Concerns

Google sold Android phones with a big security risk

Google's Pixel smartphones ship with a risky application that leaves them vulnerable to hackers, mobile security firm iVerify has found. The third-party app has reportedly been embedded in Pixel phones for years. According to iVerify, the app has a vulnerability that "leaves millions of Android Pixel devices susceptible" to hackers, "giving cybercriminals the ability to inject malicious code and dangerous spyware." A Google spokesperson told WIRED that the company will work to remove the software in the coming weeks. The spokesperson told The Washington Post that "[e]xploitation of this application on a user phone requires both physical access to the device and the user's password." The security issue with Google's Pixel phones has prompted AI giant Palantir to stop issuing them to its employees, the Post reports. "Mobile security is a very real concern for us, given where we're operating and who we're serving," Palantir's Chief Information Security Officer, Dane Stuckey, told The Post. "This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally." iVerify said that the issue "highlight[s] the need for more transparency and discussion around having third-party apps running as part of the operating system" in tech firms' products. "It also demonstrates the need for quality assurance and penetration testing to ensure the safety of third-party apps installed on millions of devices."

Google to remove app with security flaw that almost all Android phones had

Most Google Pixel phones sold over the last few years have a software that could be used to hack into them, a report has shared. Cybersecurity company iVerify has revealed that a 'Showcase' app left open a security vulnerability that could be exploited to remotely control the phone and look through it. The hidden software package Showcase.apk was pre-loaded into every Android release for Pixel since 2017. Developed by Smith Micro for Verizon, the app was used to launch a retail model on the phones. The app was designed in a way so software could be installed using it or code could be written through it remotely. It can download a configuration file over an unencrypted HTTP connection making it unsecure. The investigation done together by iVerify, data analytics firm Palantir and Trail of Bits also found that the risk appeared to be limited given that the app is disabled by default and needs a passcode to access it. (For top technology news of the day, subscribe to our tech newsletter Today's Cache) Google's new AI Pixel Screenshots feature is similar to Microsoft's Recall, but safer Google has responded to the study by acknowledging the vulnerability and saying it will remove Showcase from Pixel devices within the "coming weeks." The app also wasn't included in the newly released Pixel 9 series. Google also said that they hadn't seen any incident that had exploited the vulnerability. Palantir decided to ban Android devices within the company as a response, saying that the tech giant had reacted too slow to the report. Google has reportedly also notified other Android OEMs about Showcase. Read Comments

Google to remove potentially risky app from Pixel devices following security report - SiliconANGLE

Google to remove potentially risky app from Pixel devices following security report Google LLC has committed to removing a dubious application found on some or all Pixel phones following a report about it representing a serious security vulnerability, be it that the severity of the vulnerability is in dispute. A report released today by mobile device security company iVerify LLC in conjunction with the security team at Palantir Technologics Inc., detailed the discovery of a serious Android security vulnerability that the report says impacts millions of Pixel devices globally. The vulnerability is claimed to make Android accessible to cybercriminals to perpetrate man-in-the-middle attacks, malware injections, and spyware installations. The vulnerability relates to an Android app package called Showcase.apk. Per the iVerify report, the application runs at the system level and can fundamentally change the phone's operating system. The application package is installed over unsecured HTTP protocols, opening a backdoor that makes it easy for cybercriminals to compromise the device. The report notes that users cannot remove the app as it is part of the firmware image and Google does not allow end-users to alter the firmware image for security reasons. "While we don't have evidence this vulnerability is being actively exploited, it nonetheless has serious implications for corporate environments, with millions of Android phones entering the workplace every day," Rocky Cole, co-founder and chief operations officer of iVerify, said in a statement sent to SiliconANGLE. "Google is essentially giving CISOs the impossible choice of accepting insecure bloatware or banning Android entirely." The report also claimed that Google was also made aware of the vulnerability, with iVerifty submitting a detailed report on what the issue is. "It's unclear if Google will issue a patch or remove the software from the phones to mitigate the potential risks," the report states. While Google has admitted that the file may cause security issues, the search giant varies in its belief of how wide the exposure and potential security risk actually is. A spokesperson from Google who spoke with CNET claims that the app was developed by Smith Micro Software Inc. for Verizon Communications Inc. and is not an Android or Pixel vulnerability. It is also claimed that the app was only used for in-store devices and that the app is no longer being used. Further, Google disputes the risk presented by it. "Exploitation of this app on a user phone requires both physical access to the device and the user's password... we have seen no evidence of any active exploitation," the spokesperson added. "Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update." The claims come after Google announced its latest Pixel lineup at an event on Aug. 13. Google announced a new family of Pixel 9 smartphones, along with the Pixel 9 Pro Fold, that feature the company's artificial intelligence Gemini family of models.