Researchers claim most Google Pixel phones shipped with exploitable bloatware since 2017

Mobile phone security firm iVerify has discovered a vulnerability in Google Pixel smartphones. According to iVerify's investigation, a piece of third-party software with deep system access is to blame, and troublingly it shipped with "a very large percentage of Pixel devices [...] since September 2017." The issue relates to "Showcase.apk," a bit of software made for Verizon and used to put Pixel devices in demo mode while displayed in retail stores. The software downloads a configuration file over an unencrypted web connection, which — because of Showcase's deep access — might allow bad actors to perform remote code execution or remote package installation on the device. The especially troubling part of this discovery is that Showcase can't be uninstalled at the user level. And while it is not enabled by default, iVerify said there could be multiple ways to activate the software. iVerify alerted Google to the vulnerability in May; thus far there's no confirmed evidence it's been exploited in the wild. A Google spokesperson told Wired that Showcase “is no longer being used” by Verizon and that Google would have a software update to remove the software from all Pixel devices "in the coming weeks." Additionally, the rep said Showcase is not present in the line of Google Pixel 9 devices announced during the Made by Google event this week.This article originally appeared on Engadget at https://www.engadget.com/mobile/smartphones/researchers-claim-most-google-pixel-phones-shipped-with-exploitable-bloatware-since-2017-185926564.html?src=rss

Aug 16, 2024 - 01:30
 0
Researchers claim most Google Pixel phones shipped with exploitable bloatware since 2017

Mobile phone security firm iVerify has discovered a vulnerability in Google Pixel smartphones. According to iVerify's investigation, a piece of third-party software with deep system access is to blame, and troublingly it shipped with "a very large percentage of Pixel devices [...] since September 2017."

The issue relates to "Showcase.apk," a bit of software made for Verizon and used to put Pixel devices in demo mode while displayed in retail stores. The software downloads a configuration file over an unencrypted web connection, which — because of Showcase's deep access — might allow bad actors to perform remote code execution or remote package installation on the device.

The especially troubling part of this discovery is that Showcase can't be uninstalled at the user level. And while it is not enabled by default, iVerify said there could be multiple ways to activate the software. iVerify alerted Google to the vulnerability in May; thus far there's no confirmed evidence it's been exploited in the wild.

A Google spokesperson told Wired that Showcase “is no longer being used” by Verizon and that Google would have a software update to remove the software from all Pixel devices "in the coming weeks." Additionally, the rep said Showcase is not present in the line of Google Pixel 9 devices announced during the Made by Google event this week.This article originally appeared on Engadget at https://www.engadget.com/mobile/smartphones/researchers-claim-most-google-pixel-phones-shipped-with-exploitable-bloatware-since-2017-185926564.html?src=rss

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow

Viral News Code whisperer by profession, narrative alchemist by passion. With 6 years of tech expertise under my belt, I bring a unique blend of logic and imagination to ViralNews360. Expect everything from tech explainers that melt your brain (but not your circuits) to heartwarming tales that tug at your heartstrings. Come on in, the virtual coffee's always brewing!