Google has worked hard to make Android as secure as possible, but as with any operating system, security issues occasionally crop up. A bug allowed malicious apps to be downloaded onto Google Pixel phones and has now been fixed.

A hidden and insecure feature in Google’s software for some Android phones has been discovered. Security firm iVerify found the feature, called Showcase.apk, on phones owned by a U.S. intelligence contractor. The normally dormant app appears to be intended to provide deep access to devices for demonstration purposes, but researchers were able to activate it. The discovery prompted data analytics firm Palantir Technologies (best known for helping the Trump administration deport immigrants from the United States) to ban the use of Android phones internally. One manager said, “This was very trust-damaging… We have no idea how it got there.”

The app’s insecurity lies in its ability to download instructions from an unsafe web address, making it vulnerable to interception and tampering. iVerify warned: “The app’s vulnerability leaves millions of Android Pixel devices vulnerable to man-in-the-middle attacks, allowing cybercriminals to inject malicious code and dangerous spyware.”

iVerify contacted Google over 90 days ago but received no indication of a solution until Wednesday evening, when Google announced The Washington Post it would issue an update to remove the application. Google claims it has not observed any hacking through Showcase and that exploitation would require both physical access and the user’s password. However, the fact that this oversight exists despite the app being included in Google-made Pixel phones, which are known for their quick security updates, is worrying to say the least.

This is another good reminder to keep your Android phone up to date and install security patches as soon as they become available. Once a fix for security issues like this one is available, you can protect yourself.

Source: The Washington Post