An app called Showcase.apk, designed for Verizon in-store demos, has left multiple generations of Pixel smartphones vulnerable to various types of attacks. The app has been around since 2017 and compromises nearly every Pixel device sold during that time. However, Google has said it is committed to removing the software from all affected Pixel devices.

Google recently announced its latest lineup of Pixel smartphones, including a new XL model and the latest Pixel Pro 9 Pro. While security has always been at the top of the list of features when purchasing a Pixel smartphone, there is always a risk that something might be overlooked despite all the security precautions taken. Such is the case with a new vulnerability that has left millions of Pixel devices vulnerable to man-in-the-middle attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware, according to a new analysis by researchers at iVerify. The researchers found that Showcase.apk is pre-installed in the Pixel firmware and included in Google’s OTA image for Pixel devices.

According to a Google spokesperson, Showcase is an app developed by Smith Micro for use as an internal Verizon demo. The app allowed the carrier to showcase the highlights of a Pixel device to customers in Verizon stores. Although it is not actively enabled when you purchase a Pixel phone, the software is still present and still poses a security risk.

iVerify’s analysis found that if the app is turned on, an attacker could potentially exploit the app’s vulnerabilities to gain control of the device. Showcase’s ability to gain a lot of permissions also increases the potential vulnerabilities. One example provided by iVerify is that cybercriminals can exploit vulnerabilities in the app’s infrastructure to execute code or shell commands with system privileges on Android devices and take over devices to commit cybercrimes and security breaches.

“I’ve seen a lot of Android vulnerabilities, and this one is unique in some ways and quite disturbing,” noted Rocky Cole, chief operating officer of iVerify and a former U.S. National Security Agency analyst. “When Showcase.apk is running, it can take over the phone. But the code is, frankly, sloppy. It raises questions as to why third-party software running with such high privileges so deep in the operating system hasn’t been tested more thoroughly. It seems to me that Google has pushed bloatware onto Pixel devices around the world.”

The good news is that an attacker would either need to know that the Showcase app is already enabled on a Pixel phone or know the password to enable it themselves before they can exploit the vulnerability. The downside is that the app cannot be removed via a user’s standard uninstall process and that Google has not currently released a patch for the vulnerability (but one is in the works).

“We would have much preferred Google to have patched this before we spoke about it publicly, but their inability to provide a concrete patch date left us no choice,” Cole explained. “A well-resourced adversary like a nation-state could exploit this – it has the potential to be a backdoor into virtually every pixel in the world.”