Pixel problems: Google's security nightmare caused by hidden software

AppleInsider

A vulnerability included in every version of Android for previous Google Pixel models will soon be patched, but Pixel 9 buyers don't need to worry.

Google Pixel 9

The majority of Google Pixel smartphones sold from September 2017 onward have included a potentially dangerous bit of code in a hidden app. One that could be used to provide considerable access to the device by an attacker.

Security researchers from iVerify discovered an issue when a threat-detection scanner discovered an odd Google Play Store app validation on a device used by someone at Palantir. Wired reports iVerify and Palantir worked together to find and disclose the problems to Google.

The problem stems from a third-party Android package called Showcase.apk. It was developed by Smith Micro to help Verizon put store phones into a retail demo mode.

However, the app has privileges including remote code execution and remote software installation, which could be hazardous when used by an attacker.

It also has the capability of downloading a configuration file over an unencrypted HTTP web connection. This is dangerous as it could be a vector for an attacker to hijack the software and use it for their own purposes.

Though Showcase isn't in use by Verizon anymore, the APK was still included in the Android builds included on Google Pixel smartphones.

Despite the disclosure at the beginning of May, Google has yet to fix the problem, but it does intend to close the security hole. The APK is not present in any Pixel 9 devices, and Google says it will be removed from all supported Pixel devices with a software update within a few weeks.

However, while Google may be in the process of fixing the problem, iVerify believes that the Showcase app could have been embedded on other Android devices as well. Google said it is also notifying other Android producers, just in case.

The Showcase issue demonstrates the issues involved in including third-party apps or software in an operating system release. It also shows that old code can still be included despite not actively being used, and can still be an attack vector.

Android devices are also often sold with a number of preinstalled apps, or bloatware, with the common complaint that they are unwanted and often take up storage capacity.

By contrast, Apple has stopped including third-party apps in versions of iOS and iPadOS that it installs onto the iPhone and iPad. It did include the YouTube app as a preinstalled App, but it was removed in iOS 6 with Google supplying and directly managing its own app release.




Read on AppleInsider

bloggerblog

It's a backdoor, they probably found a better way or backed it into their OS so they're deprecating the old. Windows has backdoors that date back to the days of Windows NT, they discovered 3 backdoors because someone forgot to encrypt them, one of them was names NSA. Microsoft of course denied that they were intentional...

gatorguy

bloggerblog said:

It's a backdoor, they probably found a better way or backed it into their OS so they're deprecating the old. Windows has backdoors that date back to the days of Windows NT, they discovered 3 backdoors because someone forgot to encrypt them, one of them was names NSA. Microsoft of course denied that they were intentional...

Not exactly. It's not a Google creation, nor can it be accessed remotely.

It's for a very specific Verizon in-store feature, a demo mode per-se, as mentioned in the AI article. This one requires physical access to the device, just as some other “back doors” have been, whether Windows, Mac or other. Even then, unless you are a Verizon employee, it's almost impossible to access according to reports.

Since Verizon is no longer using the app, it was Google's responsibility to remove it from Pixels, assuming they were advised it was deprecated. Google also seems to better understand it shouldn't be done via the OS in the first place.

...But it's hardly at the level of a "security nightmare".

StrangeDays

gatorguy said:

bloggerblog said:

It's a backdoor, they probably found a better way or backed it into their OS so they're deprecating the old. Windows has backdoors that date back to the days of Windows NT, they discovered 3 backdoors because someone forgot to encrypt them, one of them was names NSA. Microsoft of course denied that they were intentional...

Not exactly. It's not a Google creation, nor can it be accessed remotely.

It's for a very specific Verizon in-store feature, a demo mode per-se, as mentioned in the AI article. This one requires physical access to the device, just as some other “back doors” have been, whether Windows, Mac or other. Even then, unless you are a Verizon employee, it's almost impossible to access according to reports.

Since Verizon is no longer using the app, it was Google's responsibility to remove it from Pixels, assuming they were advised it was deprecated. Google also seems to better understand it shouldn't be done via the OS in the first place.

...But it's hardly at the level of a "security nightmare".

Can you tell us more about these Mac back doors of which you speak?

gatorguy

StrangeDays said:

gatorguy said:

bloggerblog said:

It's a backdoor, they probably found a better way or backed it into their OS so they're deprecating the old. Windows has backdoors that date back to the days of Windows NT, they discovered 3 backdoors because someone forgot to encrypt them, one of them was names NSA. Microsoft of course denied that they were intentional...

Not exactly. It's not a Google creation, nor can it be accessed remotely.

It's for a very specific Verizon in-store feature, a demo mode per-se, as mentioned in the AI article. This one requires physical access to the device, just as some other “back doors” have been, whether Windows, Mac or other. Even then, unless you are a Verizon employee, it's almost impossible to access according to reports.

Since Verizon is no longer using the app, it was Google's responsibility to remove it from Pixels, assuming they were advised it was deprecated. Google also seems to better understand it shouldn't be done via the OS in the first place.

...But it's hardly at the level of a "security nightmare".

Can you tell us more about these Mac back doors of which you speak?

There's a reason I put that phrase in quotation marks.

There are things that bloggers and certain media like to call "back-doors" even when they aren't. Claims like that get more eyeballs.
https://www.bitdefender.com/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group/
https://www.intego.com/mac-security-blog/jokerspy-backdoor-mac-malware-discovered-in-the-wild/
https://discussions.apple.com/thread/251667055 Backdoor access being used by hackers.

Alex_V

Absolutely nothing that you do on this phone is private. Alphabet, which owns Google, is an advertising company. They provide search, software, and hardware, and other technologies, solely as a means to spy on us. They build detailed profiles on each and every one of us, the likes of which we have never seen before. In violation of our right to privacy, they scan our emails, record our searches, videos watched, and catalogue every intimate detail about us. They sell that knowledge, as well as the access to us, to other advertisers. All this is done in the service of advertising, and making a buck. These guys would make the East German Stasi blush. And yet, governments around the world, do little to protect us from this scourge, which is far worse that the most pessimistic predictions about invasions of our privacy that I remember from the early days of the world wide web. 

chasm

The fact that Google's entire business model hasn't been barred by the DMA should be sufficient proof that the purpose of the DMA is EU regulation, not consumer protection.

escapeplissken

I would only buy this phone to install GrapheneOS or the upstream Android Open Source Project anyway