A security vulnerability has been uncovered in Google Pixel smartphones, affecting a significant number of devices sold since September 2017. According to an investigation by mobile phone security firm iVerify, the issue stems from a piece of third-party software called Showcase.apk, which was designed for Verizon to put Pixel devices in demo mode for retail store displays.
The problem lies in the software’s ability to download configuration files over an unencrypted web connection, potentially allowing malicious actors to execute remote code or install packages on the device. What’s more, Showcase has deep system access, making it a particularly concerning vulnerability.
To make matters worse, Showcase cannot be uninstalled by users, and while it is not enabled by default, iVerify warns that there may be multiple ways to activate the software. The firm alerted Google to the vulnerability in May, but so far, there is no evidence that it has been exploited in the wild.
In response to the discovery, a Google spokesperson confirmed that Showcase is no longer being used by Verizon and that a software update will be released in the coming weeks to remove the software from all affected Pixel devices. Additionally, the spokesperson noted that Showcase is not present on the newly announced Google Pixel 9 devices.
