Google Pixels Since 2017 Vulnerable to MiTM Attacks Due to Verizon Demo App

iVerify has uncovered a critical vulnerability affecting millions of Google Pixel devices worldwide, dating back to models released in 2017.

The culprit is an Android package, Showcase.apk, which enjoys excessive system privileges yet isn't protected by external attacks, posing significant security risks, including remote code execution and potential device takeover by malicious actors.

Discovery and details

The vulnerability was identified earlier this year when iVerify's Endpoint Detection and Response (EDR) flagged an Android device at Palantir Technologies as insecure. This initiated an in-depth investigation by iVerify, in collaboration with Palantir and Trail of Bits.

The investigation revealed that Showcase.apk is part of the firmware on a significant number of Pixel devices, including those shipped since September 2017. The application is not enabled by default, but its presence on the device firmware and its extensive privileges present a severe risk.

Specifically, the app can download a configuration file over an unsecured HTTP connection from a single U.S.-based AWS-hosted domain. This leaves the device vulnerable to man-in-the-middle (MITM) attacks, where attackers could inject malicious code into the system.

Technical breakdown

The Showcase.apk was designed as a demonstration tool, likely intended for use in Verizon stores, allowing the device to function in a retail demo mode. However, its implementation raises several security concerns:

• The application operates with system-level privileges, granting it the ability to execute shell commands, install and delete packages, and even reboot the device. This level of access is unnecessary for a demo app and exposes the device to significant risks.
• The app retrieves its configuration from a predefined URL over an insecure HTTP connection, making it susceptible to interception and manipulation.
• The app’s verification of the downloaded configuration file is flawed, potentially allowing an attacker to bypass security checks and execute arbitrary commands on the device.
• Due to its integration into the system firmware, Showcase.apk cannot be uninstalled by users through standard means, complicating mitigation efforts.

Impact and response

The implications of this vulnerability are severe, with millions of Pixel devices potentially exposed to cyberattacks. An attacker who successfully exploits this vulnerability could take control of the affected device, install spyware, or extract sensitive information, leading to data breaches with significant financial and reputational consequences.

The app was identified across various Pixel models, including the Pixel 2, 3, 6, 7a, and 8, with Verizon and non-Verizon firmware versions affected. The vulnerability spans numerous operating system versions, from Android 8.0.0 to the latest releases, indicating the widespread and persistent nature of the issue.

iVerify notified Google about the vulnerability with a detailed disclosure following a 90-day responsible disclosure process. Despite the severity of the flaw, Google has yet to release a patch or provide guidance on how to address the issue. The inability to remove the app through normal means exacerbates the problem, leaving users with few options to protect their devices.

Generally, refraining from connecting to public or unsecured Wi-Fi networks where MITM attacks are more likely would be advisable, even if extremely impractical. Ensuring that your device is running the latest security patches provided by Google is a solid practice, even though a fix for this specific issue is not yet available. Ultimately, if you're too worried about this flaw, consider switching to different Android models from other OEMs, or other platforms entirely, such as Apple's iOS.

CyberInsider has contacted Google to request a statement on the issues highlighted in the iVerify report. Google provided CyberInsider with the following comments:

This is not an Android platform nor Pixel vulnerability, this is an apk developed by Smith Micro for Verizon in-store demo devices and is no longer being used. Exploitation of this app on a user phone requires both physical access to the device and the user's password. We have seen no evidence of any active exploitation. Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android OEMs.

– Google spokesperson