Google is planning to release a firmware update for certain Pixel phones after a report surfaced that the phones contain an insecure system-level Android package (APK) that could potentially be exploited to install malicious apps.
Mobile security firm iVerify published its analysis of the Showcase.apk package on Thursday in a report co-authored by security consultants from Trail of Bits and a member of the Cyber Incident Response Team at data analytics firm Palantir Technologies.
The iVerify team discovered the APK after it was flagged by the company’s Endpoint Detection and Response (EDR) solution on a Palantir Technologies Android device.
Further analysis of Showcase.apk by iVerify, as well as a technical security analysis conducted by Trail of Bits in early May 2024, found that the software runs with high, “system-like” privileges, retrieves its configuration file over unsecured HTTP from a single domain, contains faulty code that could allow verification bypass, and appears to be installed on a large percentage of Pixel devices, according to the report.
“Showcase.apk appears to be present on every single Pixel sold worldwide since 2017. We have reason to believe this package may be installed on other Android models, and Google has hinted at the same,” Rocky Cole, chief operating officer of iVerify, told SC Media.
A Google spokesperson said in an email to SC Media that the APK is not present on Pixel 9 series devices and that “out of an abundance of caution” the company plans to remove the package from all supported Pixel devices available on the market in an upcoming software update.
“This is not an Android platform or Pixel vulnerability, but rather an APK developed by Smith Micro for Verizon demo devices in stores that is no longer in use,” the Google spokesperson explained. “Using this app on a user’s phone requires both physical access to the device and the user’s password. We have not seen any evidence of active exploitation.”
Google said it would also notify other Android OEMs (original equipment manufacturers) about the APK and noted that the Showcase application is owned by Verizon and must be installed on all Android devices sold by Verizon.
SC Media reached out to Smith Micro Software, who developed the APK code, and also contacted Verizon, but received no response from either company.
Showcase.apk vulnerable to man-in-the-middle attacks, researchers say
Showcase.apk was developed by Smith Micro to enable phones to be used for demonstrations in Verizon stores. Although the APK is embedded in the firmware of many Pixel phones — potentially millions, according to iVerify — it is not active by default and can only be activated by someone with physical access to the phone, according to Google.
Researchers at iVerify and Trail of Bits discovered several issues with the Showcase APK that could allow it to be exploited to remotely install malicious apps if Showcase is already running on the target device.
First, Showcase runs with “excessive” privileges, the researchers said in their report, allowing it to install and delete packages on the device. Second, the package retrieves a configuration file from a single AWS-hosted command and control domain at a predefined URL over unencrypted HTTP, making it potentially vulnerable to man-in-the-middle (MITM) attacks.
And although the configuration file has a signature that is matched to the root.der file stored in the APK, which would normally prevent MITM attacks, it is possible to bypass this safeguard due to a bug in the verification code.
Trail of Bits’ technical report detailed that while the configuration file may contain the “payload” and “payload_gzip” fields, only one of these fields needs to match the signature verification to be accepted. So an attacker could inject their own code into one of these fields and the file would still be accepted if the signature in the other field was valid.
The Trail of Bits team has tested and confirmed the possibility of MITM interception using the Burp Suite tool to simulate the retrieval and insertion of a valid configuration file with a malicious version on a device running Showcase.
By exploiting these vulnerabilities, an attacker could use Showcase’s permissions to install their own malicious APKs.
COO of iVerify describes termination of communication with Google after report
These issues were reported to Google by iVerify following Google’s 90-day disclosure process. Cole said Google acknowledged the report and initially rated the severity of the vulnerability as “high.”
“However, as the investigation progressed, their communication deteriorated to the point where they ignored four consecutive communications from us as we attempted to coordinate our disclosure. To date, they have not been able to provide a concrete timeframe for releasing a patch, nor have they directly provided us with any information about the package’s original functionality or their plans to fix the issue,” Cole said.
When asked why iVerify reported the issue to Google rather than the code’s original developer, Smith Micro, Cole said he believed Google’s intervention was necessary due to the frequency of the issue occurring on Pixel devices.
“The code itself, which was sloppy, was written by Smith Micro, but Pixel is ultimately a Google platform. Google made a business decision to plant what appears to be untested third-party code deep into Pixel’s operating system – so Smith Micro certainly could have written cleaner code, but I think ultimately it’s Google’s responsibility to get this right,” Cole told SC Media.
Cole also said that there “could be multiple methods” to activate Showcase.apk, making it vulnerable to MITM attacks, even though it is inactive by default.
“The idea that physical access is required to exploit the package is merely an assumption, and a threat actor with sufficient resources could almost certainly overcome that barrier,” Cole said.
Showcase.apk cannot be removed without firmware update
Due to its integration into the Pixel device’s firmware, Showcase.apk cannot be uninstalled by the user and requires an update from Google to remove.
While Google noted that integrating Showcase on all Android devices was a Verizon requirement, it’s unclear why Showcase was integrated on all devices and not just a subset that were to be used as demo phones. It’s also unclear why Showcase was running in such a privileged context, which iVerify described in its report as “completely unnecessary for the application’s intended purpose.”
As a result of iVerify and Trail of Bits’ findings, Palantir Technologies announced that over the next few years, the company will completely remove Android devices from its mobile fleet and switch to Apple devices instead.
“We support some of the most important institutions in the Western world. Google embedding third-party software into Android’s firmware without verifying the quality or security of those apps and without communicating this to vendors or users creates significant security risks for everyone who relies on this ecosystem,” said Dane Stuckey, chief information security officer at Palantir Technologies, in a statement.
Cole told SC Media that while organizations using Pixel devices with Showcase installed cannot remove the APK themselves, he recommended that organizations implement mobile EDR platforms to detect potential attacks that exploit the package and other mobile application vulnerabilities.
Trail of Bits’ technical report also includes indicators of Showcase.apk execution to help users analyze whether the APK may have been active on their device.
“The discovery of Showcase.apk and other high-profile incidents, such as the execution of third-party kernel extensions in Microsoft Windows, underscore the need for more transparency and discussion around the execution of third-party apps as part of the operating system,” iVerify wrote in its report summary, citing the recent global CrowdStrike outage.
