Most Google Pixel phones sold since September 2017 include software that can be used to monitor or control users’ phones remotely, according to a new study. a report From cybersecurity company iVerify.
The vulnerability was discovered after iVerify’s Endpoint Scanner and Response (EDR) flagged an insecure Android device at Palantir Technologies, an iVerify customer. After launching a joint investigation, iVerify, Palantir, and Trail of Bits discovered a hidden Android software package — Showcase.apk — on Google Pixel devices. Data mining company Palantir, which sells its surveillance products to governments and private companies, banned Android devices across the company in response.
“This was very damaging to trust, to have unvetted third-party software that was insecure,” said Dan Stuckey, chief information security officer at Palantir. He said Washington Post“We have no idea how this issue got here, so we’ve made the decision to effectively block Android devices internally.”
According to iVerify, the software was developed by a company called Smith Micro Software and appears to have been created for Verizon for in-store demos. The iVerify report found that the app was disabled by default and had to be manually enabled. “When enabled, Showcase.apk makes the operating system vulnerable to man-in-the-middle attacks, code injection, and spyware,” the report states. “The impact of this vulnerability is significant and could result in data loss breaches totaling billions of dollars.”
In a statement to The EdgeGoogle spokesman Ed Fernandez said the software was created “for demo devices in Verizon stores and is no longer in use,” adding that Google “has seen no evidence of any active exploitation.”
iVerify notified Google of its report in early May, according to WiredThe company has not publicly disclosed the vulnerability, nor has it released a software update to remove the issue. Wired Android will reportedly remove the app from all Pixel devices “in the coming weeks,” which Fernandez confirmed to The Edge.
“It’s really annoying. Pixels are supposed to be clean,” Palantir’s Stuckey told The Verge. mail“There are a bunch of defense tools built into Pixel phones.”