Google will now have 90 days to remove apps that intelligence contractors have installed on its Pixel smartphone devices. Palantir Mobile Security Company certification expressed concern Critical software vulnerabilitiesGoogle said on Wednesday night.
The application in question, “Showcase.apk,” is designed to allow employees selling Pixel phones to demonstrate the phone’s features, iVerify said. But when the normally dormant app is launched, it accesses information from an Amazon Web Services site using the insecure http protocol, making it vulnerable to hacking.
Information about the Pixel app vulnerability was made public on Thursday. The report states: The report, released by Palantir and security firm Trail of Bits, comes from iVerify, who say they notified Google of the issue more than 90 days ago, but their concerns were not addressed. Palantir has since stopped distributing Android phones to employees due to concerns about the software’s security.
In an email to CNET, Google said the app was developed for Verizon by a third party, Smith Micro, and was only used on in-store devices, so it doesn’t indicate any vulnerabilities in Android or the Pixel. The company said the app is no longer in use.
“Exploitation of this app on a user’s phone would require both physical access to the device and the user’s password,” a Google spokesperson told CNET. “We currently have no evidence of exploitation. As a precaution, we will remove this app from all supported Pixel devices in the market in an upcoming Pixel software update. This app will not be present on Pixel 9 series devices, and we have notified other Android OEMs.”
News of the potential security issues for Pixel phones comes the same week that Google unveiled its new Pixel smartphone series at its Made By Google event in Mountain View, Calif., where the company touted its new hardware series of phones, watches and earbuds, as well as the AI capabilities of its Gemini software.
“While there is no evidence that this vulnerability is being actively exploited in the wild, it has serious implications in corporate environments given the millions of Android smartphones deployed into the workplace every day,” said Rocky Cole, co-founder and chief operating officer at iVerify. Summary of the report “Google is essentially giving CISOs the impossible choice between accepting insecure bloatware or banning Android altogether.”
iVerify said the app in question is part of the firmware on Pixel phones and cannot be removed by users. The app can also cause issues on non-Pixel Android devices issued by Verizon that contain the Showcase app.
Google said in an email that the Pixel update will be released in the “coming weeks,” but did not provide any instructions on what steps users can take to protect their phones in the meantime, beyond keeping hackers’ physical hands off them.
Take a look at this: Google Pixel 9, 9 Pro, 9 Pro XL Hands-on
