According to mobile threat intelligence company iVerify, most Google phones starting with Pixel 2 include a feature that cybercriminals can exploit to spy on users or remotely control their devices.

iVerify shared its findings The Washington Postwhich reports that Google’s master software for Pixel phones included a feature that gave Verizon sales staff deep access to the devices to assist with demos.

This feature has security flaws, which became apparent after Verify’s Endpoint Detection and Response (EDR) scanner detected an insecure Android device on Palantir Technologies, an iVerify customer that makes defense software solutions for the U.S. Army.

When the matter was investigated by iVerify, Palantir and Trail of Bits, it emerged that Google’s Pixel devices contained a hidden Android app called Showcase, developed by software maker Smith Micro. It has a disturbingly high level of privilege for a third-party app.

The researchers at iVerify suspect that the app could also be installed on other Android devices.

Showcase is an otherwise inactive app that can be activated remotely by cybercriminals, but Google denies this, saying that physical possession and a user password are required to exploit the app.

When active, Showcase downloads instructions from an unsafe website. Hackers can intercept the transmitted data and even send malicious spying instructions instead.

Users cannot delete the files from their phones, meaning millions of Pixel devices are vulnerable to man-in-the-middle attacks.