A new, alarming warning has just been issued for Android users after “a serious security vulnerability was discovered affecting Pixel devices worldwide… leaving millions of devices vulnerable to man-in-the-middle (MITM) attacks, allowing cybercriminals to inject malicious code and dangerous spyware.”

The warning from smartphone security specialist iVerify concerns the Showcase app, which is pre-installed on tens of millions of Pixel devices. Notably, the vulnerability was first reported on a device at the highly secure Palantir. iVerify noted: “The application runs at the system level and can fundamentally change the phone’s operating system. Since the application package is installed via unsecured HTTP protocols, this opens a backdoor that makes it easy for cybercriminals to compromise the device.”

ForbesStranger Things Season 5 leaked – Hacker claims new episodes could appear at any timeFrom Zak Doffman

Palantir has joined iVerify with a strong voice. CISO Dane Stuckey said: “We support some of the most important institutions in the Western world. Google embedding third-party software into Android’s firmware without verifying the quality or security of those apps and without communicating this to vendors or users creates significant security vulnerabilities for everyone who relies on this ecosystem.”

The lack of transparency and inability to delete this app was so concerning that Rocky Cole, co-founder and COO of iVerify, warned that it has “serious implications for enterprise environments as millions of Android phones enter the field every day. Google is essentially giving CISOs the impossible choice of embracing insecure bloatware or banning Android entirely.”

A pre-installed app with security flaws is a disaster waiting to happen. However, iVerify admits that “we have no evidence that this vulnerability is being actively exploited.” The reason for the heightened concern is that the app “is designed to retrieve a configuration file over unsecured HTTP… to execute system commands or modules that could open a backdoor, making the device easily compromised.” Since the app itself is not malicious, just poorly built, “it may miss most security technology… and since the app is installed at the system level and is part of the firmware image, it cannot be uninstalled at the user level.”

iVerify told me that it had “notified Google with a detailed report of the vulnerability following the 90-day disclosure process,” but at that time it was “unclear when Google would issue a patch or remove the software from the phones to mitigate the potential risks.”

ForbesGoogle announces Play Store changes before app is deleted in 21 daysFrom Zak Doffman

Although there is “no evidence of active exploitation,” Google assured me it is taking action, telling me, “Out of an abundance of caution, we will be removing this from all supported Pixel devices in the market with an upcoming Pixel software update. The app is not present on Pixel 9 series devices.” And while iVerify’s report focused on Pixels, Google also said it is “notifying other Android OEMs.”

Regarding the origins of the app, Google told me: “This is not an Android platform or Pixel vulnerability, but rather an APK developed by Smith Micro for Verizon demo devices in stores that is no longer in use. Using this app on a user’s phone requires both physical access to the device and the user’s password.”

The specific concerns that prompted iVerify to report include the lack of authentication when retrieving the configuration file, the lack of checking the integrity of this file before loading it onto the phone, and insecure transmission – the MITM vulnerability.

iVerify acknowledges the “demo” nature of the Showcase app, “which fundamentally changes the way the operating system works,” although “the app runs in a high-privilege context, which is unnecessary for the intended purpose of the application.”

Before Google’s mass wipe, iVerify warns: “There is nothing users can do to protect themselves from this vulnerability because it is part of the firmware image. Only Google can fix it. Therefore, this package presents users with a very difficult choice: accept the vulnerability or not use Pixel phones at all.”

ForbesNew warning: Increase in GPS spoofing attacks on passenger aircraft – Please fasten your seat beltsFrom Zak Doffman

This warning obviously comes at a bad time for Google: this week marks the launch of the Pixel 9, there is an ongoing battle between Pixel and Samsung for Android AI supremacy, and Apple is about to launch the iPhone 16 in the broader premium category.

The answer to iVerify’s question of “why Google installs a third-party application on every Pixel device when only a very small number of devices need it” remains unclear. But this concern, it says, “is so serious that Palantir, which helped identify the security issue, is choosing to remove Android devices from its mobile fleet and move entirely to Apple devices over the next few years.”

All in all, it was a tougher end to the Pixel launch week for Google than expected.