A defunct but non-removable application embedded in the firmware of all Google Pixel phones can act as a perfect malicious backdoor.

“Showcase.apk” was developed by Pittsburgh-based Smith Micro specifically for Pixel devices displayed in Verizon stores. Somehow it ended up preinstalled in every Pixel phone delivered since at least September 2017 — Millions around the globeon all models except the very first one, including those not serviced by Verizon. Dark Reading has reached out to Verizon for information on how this happened.

This is bad news, iVerify noted in a report yesterday, as the app has significant privileges and the ability to all kinds of malicious functionsAnd because it’s built into the phone’s base image, no one can remove it except Google itself.

Showcase.apk is not OK

Earlier this year, iVerify discovered a security flaw in an Android device used by Palantir Technologies, a big data company that works with intelligence and defense agencies. The investigation led to showcase.apk, a now-obsolete Android package file (APK) that Verizon Wireless had commissioned for use in its demo devices.

Many aspects of this app remain a mystery to this day, including why it was installed on devices other than the phones displayed in Verizon stores and why it has such excessive privileges. The app inherits “excessive” system-like privileges for no apparent reason. It can use these privileges to execute commands in a shell environment or install arbitrary packages, among other things.

“You can use your imagination as to how it could be used,” says Rocky Cole, co-founder and COO of iVerify, who himself previously worked at Google. “It can control the device – for example, turn the camera on and off, read text messages and emails, as part of its core demo store functionality.”

It doesn’t help that the package is full of vulnerabilities. It communicates with a command-and-control (C2) domain and downloads files over insecure HTTP, which opens the door to man-in-the-middle (MITM) attacks; the insecure certificate and signature verification processes it uses to validate incoming files can return valid responses even after an error, and more.

A silver lining

However, there are two pieces of good news.

For one thing, showcase.apk appears to be disabled by default. And as it turns out, iVerify researchers were only able to enable it when they were physically near a target device (via mechanisms they didn’t disclose before each Google patch).

“The assumption that you have to be near the device to activate it is really the only thing that stands between the adversary and the end user,” explains Cole, who in addition to Google also worked as an NSA analyst. “If you overcome that barrier – and I can think of a few ways you could do that – you basically have an undetectable, ongoing spiral.”

This would be of utmost concern for high-risk users. “At Palantir, for example, many of their customers work in really competitive spaces. They are on the front lines of not just digital conflicts, but actual, kinetic conflicts in the real world. And many national security functions are built on Android. So this vulnerability would be the perfect second or third stage of a mobile exploit chain,” he says.

As an example of where showcase.apk could fit into a broader attack chain, he cites Operation Triangulation. “The exploit chain was 10 or 12 steps long – you can think of showcase.apk as somewhere in the middle to the end of that chain.”

Not planned for Google Pixel 9

So far, there is no evidence that showcase.apk has been abused in the wild.

In press releases, Google spokespeople have indicated that the upcoming Google Pixel 9 will not include the package at all. For existing Pixels, Google is reportedly Working on an update is set to be released “in the coming weeks.” Until then, there’s little that high-risk Pixel owners can do other than physically protect their phones to hamper the initial attack vectors that pave the way for showcase.apk abuse.

Dark Reading has reached out to Google for more information on upcoming bug fixes.

And for Cole, there’s a broader problem at play here. “Take CrowdStrike: It’s deliberately placed there by the end user. When you buy CrowdStrike, you agree to have third-party software running on your machines at the kernel level. The difference with Showcase.apk is that no end user is ever given any (option) other than to simply accept Pixel’s terms of service. It’s an offer you can either accept or decline – you either accept the bloatware or you don’t use Pixel,” he explains.

“The lesson from this,” he concluded, “is that it is probably risky to inject third-party software so deeply into the operating system without giving users the option to remove it.”