Virtually All Pixel Phones Were Sold With A Security Flaw, Fix Incoming

An app designed for Verizon in-store demos, identified as Showcase.apk, has left several generations of Pixel smartphones vulnerable to a number of different types of attacks. The app has been around since 2017, and places nearly every Pixel device sold during that time at risk. However, Google remarked it is committed to removing the software from all affected Pixel devices.

Google recently announced its latest lineup of Pixel smartphones, including a new XL model, and the latest in Pixel Pro 9 Pro. While security has always been toward the top of the list in terms of features when buying a Pixel smartphone, there is always a risk something will get by all the safeguards put into place. Such is the case with a new vulnerability that has left millions of Pixel devices susceptible to man-in-the-middle attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware, according to new analysis by researchers at iVerify. The researchers noted the Showcase.apk is pre-installed in Pixel firmware and included in Google’s OTA image for Pixel devices.

According to a Google spokesperson, Showcase is an app that was developed by Smith Micro for use as an internal Verizon demo. The app allowed the carrier to show off highlights of a Pixel device to consumers in Verizon stores. While it is not actively enabled on a Pixel phone when it is bought, the software is still there, and remains a security risk.


iVerify’s analysis showed that if the app were to be switched on, there is a possibility an attacker could take advantage of insecurities in the app in order to gain control of the device. Being Showcase is granted a lot of permissions also adds to potential vulnerabilities. An example given by iVerify is cybercriminals can use vulnerabilities in the app’s infrastructure to execute code or shell commands with system privileges on Android devices to take over devices to perpetrate cybercrime and breaches.

“I’ve seen a lot of Android vulnerabilities, and this one is unique in a few ways and quite troubling,” remarked Rocky Cole, chief operating officer of iVerify and a former US National Security Agency analyst. “When Showcase.apk runs, it has the ability to take over the phone. But the code is, frankly, shoddy. It raises questions about why third-party software that runs with such high privileges so deep in the operating system was not tested more deeply. It seems to me that Google has been pushing bloatware to Pixel devices around the world.”

The good news is an attacker would either need to know the Showcase app is already activated on a Pixel smartphone, or know the password in order to activate it themselves before being able to take advantage of the vulnerability. The downside is removal of the app is not possible through a user’s standard uninstallation process, and at this time, Google has yet to release a patch for the vulnerability (though one is incoming).

“We would have much preferred to have Google patch this before we talked about it publicly, but their inability to give a specific patch date left us no other choice,” Cole explained. “A well-resourced adversary like a nation state could exploit this—it has the potential to be a backdoor into basically any Pixel in the world.”