Mobile phone security company iVerify has discovered a vulnerability in Google Pixel smartphones. According to iVerify, a third-party software with deep system access is responsible for it. Worryingly, it has been shipped with “a very large percentage of Pixel devices (…)” since September 2017.

The issue affects “Showcase.apk,” a software developed for Verizon that is used to put Pixel devices into demo mode while they are on display in retail stores. The software downloads a configuration file over an unencrypted web connection that—due to Showcase’s deep access—could allow malicious actors to perform remote code execution or remote package installation on the device.

What’s particularly troubling about this discovery is that Showcase cannot be uninstalled at the user level. And while it is not enabled by default, iVerify says there could be several ways to enable the software. iVerify alerted Google to the vulnerability in May; so far, there is no confirmed evidence that it has been exploited in the wild.

A Google spokesman said that Showcase is “no longer being used” by Verizon and that Google will release a software update “in the coming weeks” to remove the software from all Pixel devices. In addition, the spokesperson said Showcase was not included in the lineup of devices announced during the Made by Google event this week.