Pixel 2 and later phones banned from a company after dangerous, uninstallable app discovered
According to mobile threat intelligence company iVerify, most Google phones starting with Pixel 2 include a feature that cybercriminals can exploit to spy on users or remotely control their devices.
iVerify shared its findings The Washington Postwhich reports that Google’s master software for Pixel phones included a feature that gave Verizon sales staff deep access to the devices to assist with demos.
This feature has security flaws, which became apparent after Verify’s Endpoint Detection and Response (EDR) scanner detected an insecure Android device on Palantir Technologies, an iVerify customer that makes defense software solutions for the U.S. Army.
When the matter was investigated by iVerify, Palantir and Trail of Bits, it emerged that Google’s Pixel devices contained a hidden Android app called Showcase, developed by software maker Smith Micro. It has a disturbingly high level of privilege for a third-party app.
The researchers at iVerify suspect that the app could also be installed on other Android devices.
Showcase is an otherwise inactive app that can be activated remotely by cybercriminals, but Google denies this, saying that physical possession and a user password are required to exploit the app.
When active, Showcase downloads instructions from an unsafe website. Hackers can intercept the transmitted data and even send malicious spying instructions instead.
Users cannot delete the files from their phones, meaning millions of Pixel devices are vulnerable to man-in-the-middle attacks.
Out of an abundance of caution, we will be removing this from all supported Pixel devices on the market with an upcoming Pixel software update.
Ed Fernandez, Google spokesperson, August 2024
Given our operations and our customers, mobile device security is a big concern for us. Using unsafe third-party software was a major breach of trust. We have no idea how the software got there, so we have decided to ban Android devices internally.
Dane Stuckey, CEO of Palantir, August 2024