A significant portion of Google’s proprietary Pixel devices, circulated globally since September 2017, were distributed with latent software capable of orchestrating malevolent assaults and disseminating diverse forms of malicious software.
The quandary surfaces through a pre-installed Android application labeled “Showcase.apk,” which is endowed with excessive system privileges, including the capacity to execute code remotely and install arbitrary packages on the device, as disclosed by the mobile security entity iVerify.
“The application downloads a configuration file over an unsecured connection and can be manipulated to execute code at the system level,” it elucidated in an analysis conducted in collaboration with Palantir Technologies and Trail of Bits.
“The application retrieves the configuration file from a solitary U.S.-based, AWS-hosted domain over unsecured HTTP, which exposes the configuration and can compromise the device’s security.”
The application under scrutiny is identified as Verizon Retail Demo Mode (“com.customermobile.preload.vzw”), which demands nearly three dozen distinct permissions, as evidenced by artifacts submitted to VirusTotal earlier in February, encompassing location and external storage. Discussions on Reddit and XDA Forums reveal that this package has been extant since August 2016.
The core issue pertains to the application’s method of acquiring a configuration file via an unencrypted HTTP web connection, as opposed to HTTPS, thereby leaving it susceptible to modification during transit to the target device. There is no documented evidence of it being exploited in a real-world scenario.
It is crucial to emphasize that this application is not a Google-manufactured software. Rather, it was developed by a corporate software entity named Smith Micro to place the device in demo mode. The rationale behind the integration of third-party software directly into Android firmware remains unclear, though a Google representative, speaking off the record, indicated that the application is owned and mandated by Verizon for all Android devices.
The end result is that it renders Android Pixel smartphones vulnerable to adversary-in-the-middle (AitM) attacks, empowering malicious entities to inject harmful code and spyware.
In addition to operating within a highly privileged context at the system level, the application “fails to authenticate or verify a statically defined domain during the retrieval of the application’s configuration file” and “employs insecure default variable initialization during certificate and signature verification, resulting in valid verification checks post-failure.”
However, the severity of this vulnerability is somewhat mitigated by the fact that the application is not enabled by default, and can only be activated if a threat actor has physical access to the target device and developer mode is enabled.
“Since this application is not inherently malicious, most security technologies may disregard it and fail to flag it as malicious. Additionally, since the application is installed at the system level and is part of the firmware image, it cannot be uninstalled at the user level,” iVerify remarked.
In a statement provided to The Hacker News, Google asserted that it is neither an Android platform vulnerability nor a Pixel-specific issue, attributing it instead to a package file developed for Verizon in-store demo devices. Google also confirmed that the application is no longer in use.
“Exploitation of this application on a user’s phone necessitates both physical access to the device and the user’s password,” a Google spokesperson stated. “We have observed no evidence of any active exploitation. As a precautionary measure, we will be removing this application from all supported in-market Pixel devices with an upcoming Pixel software update. The application is not present on Pixel 9 series devices. We are also notifying other Android OEMs.”