Cybersecurity company iVerify has released a new report on a vulnerability in Google Pixel smartphones. It is noted that most of these phones sold since September 2017 included software that can be used to monitor or remotely control users’ devices.
The vulnerability was discovered after the iVerify EDR scanner flagged an unsecured Android device at Palantir Technologies, an iVerify client. After launching a joint investigation, iVerify, Palantir, and Trail of Bits discovered a hidden Android software package — Showcase.apk — on Google Pixel devices. Data analytics company Palantir has since banned Android devices across the company.
According to iVerify’s report, the software was developed by Smith Micro Software and appears to have been created for Verizon for in-store demonstrations. The program was inactive by default and had to be manually enabled.
«When active, Showcase.apk makes the operating system accessible to hackers and ready for man-in-the-middle attacks, code injection, and spyware, the report says. «The impact of this vulnerability is significant and could lead to data loss totaling billions of dollars».
Google spokesperson Ed Fernandez said that the software was created «for Verizon demo devices in stores and is no longer in use». He added that Google «sees no evidence of any active exploitation of this vulnerability by».
iVerify notified Google of its discovery in early May. The company has not publicly disclosed the vulnerability or released a software update to fix the problem. «In the coming weeks» it is planned to remove this app from all Pixel devices.
Source: The Verge