Facepalm: Millions of Android phones, mainly Pixels, have been shipped with a hidden app that could allow hackers to take remote control or spy on users. Owners of Pixel phones from 2017 and later should watch for an upcoming security update from Google.
Cybersecurity researchers at iVerify discovered a secret app called "Showcase.apk" that has a vulnerability that could give hackers a backdoor into the phone. Ironically, they found the faulty app after the company's endpoint detection and response scanner flagged an Android phone at Palantir Technologies, a data analysis firm providing services to intelligence agencies. Palantir was so alarmed that leadership decided to stop issuing Android phones to employees until Google sorted out the issue.
Showcase.apk is not an app typical users would know about. It lies buried in the firmware of some Android instances, including Pixel builds going back to September 2017. Smith Micro, a company that provides remote access tools and parental controls, created the app to help sales representatives demonstrate phone features at stores like Verizon. While Smith Micro designed the app with good intentions, it happens to contain a vulnerability that can be remotely activated and exploited.
The root cause of the problem is that the app tries to connect over an insecure HTTP connection rather than HTTPS, opening the door for man-in-the-middle attacks where hackers can intercept the traffic. Worse yet, users can't uninstall the app because it's a part of the firmware image.
"Why Google installs a third-party application on every Pixel device when only a very small number of devices would need the Showcase.apk is unknown," notes iVerify.
The security company says it notified Google about this vulnerability in May, but the tech giant was dragging its feet on delivering a fix. On Wednesday, Google finally told The Washington Post that they'll remove the sketchy app from Pixel phones with a software update. They also say they'll notify partners who bundle it on other Android devices.
While Google told The Verge that there's no evidence that hackers ever abused the vulnerability in the wild, the implications are still pretty scary. However, since Google is issuing a patch soon, users should keep their phones updated. It isn't clear if the freshly launched Pixel 9 series still ships with this app, but considering Google is aware of the problem, it may have addressed the situation before release.