The cybersecurity company iVerify has recently discovered a serious vulnerability that affects millions of Pixel smartphones worldwide and has published its findings in a new report.
According to the document, the offending software in question is called Showcase.apk. It was originally developed by Smith Micro Software for demonstration devices within Verizon stores.
Thanks to this, employees have deep access to the many features of a Pixel phone in order to ‘demonstrate how they work’ to interested customers.
Normally, Showcase is inactive and does nothing. However, a skilled hacker may activate it through a backdoor.
What can this APK do on Google phones
The APK (Android Package Kit) receives its configuration file from an insecure domain on Amazon Web Services. In theory, a malicious actor could intercept these connections or impersonate the website’s identity and inject malware or spyware into a Pixel phone. Additionally, since Showcase has ‘excessive system privileges,’ it is easy for cybercriminals to compromise a target.
What is particularly terrifying is that Showcase has been part of the Google Pixel ecosystem since September 2017. And the worst part is that the average user cannot remove the APK through the standard uninstallation process, as it is considered a system-level application. iVerify claims that ‘only Google can fix’ this issue.
No matter how bad things are, there is good news. First of all, it seems that no one, not even hackers, knew about the exploit. A Google spokesperson told The Washington Post that they have not seen any attacks that can be attributed to Showcase.
And they stated that there is no evidence of ‘active exploitation’ and even suggested that such an attack ‘would be unlikely.’
Google is aware of the problem. The tech giant told Forbes that they are taking measures ‘out of an abundance of caution’ and plan to deploy a patch to all ‘compatible Pixel devices on the market.’ However, don’t worry about the Pixel 9 series, as none of the four models have Showcase.apk.
