Every Google Pixel Phone Has a Verizon App that Doubles As a Backdoor

UPDATED

A defunct yet unremovable application embedded in the firmware of all Google Pixel phones can function as a perfect malicious backdoor.

"Showcase.apk" was designed by Pittsburgh-based Smith Micro, specifically for Pixel devices on display at Verizon stores. Somehow, some way, it ended up pre-installed in every Pixel phone shipped since at least September 2017 — millions around the globe, across every model besides the very first, even in those not serviced by Verizon.

That's bad news, iVerify noted in a report yesterday, as the app possesses significant privileges, and the capability to perform all kinds of malicious functions. And because it exists in the base image of the phone, there's no way for anyone but Google itself to get rid of it.

Showcase.apk Is Not A-OK

Earlier this year, iVerify identified an insecurity in an Android device used by Palantir Technologies, the big data company which contracts with government intelligence and defense agencies. Their investigation led to showcase.apk, a now obsolete Android Package File (APK) contracted by Verizon Wireless for use in its demo devices.

There were many elements of this app which remain shrouded in mystery to this day, such as why it was installed on anything besides the phones displayed in Verizon stores and why it was it so unduly privileged. The app inherits "excessive" system-like privileges for no discernible reason. It can use those privileges to run commands in a shell environment, or install arbitrary packages, among other things.

"You can use your imagination for how it could be used," says Rocky Cole, Co-Founder & COO at iVerify, himself a former Google employee. "It has the ability to control the device — like, turn the camera on and off, read text messages, emails, as part of its core demo store functionality."

It doesn't help, then, that the package is riddled with vulnerabilities. It communicates with a command-and-control (C2) domain and downloads files over unsecure HTTP, opening the door to man-in-the-middle (MITM) attacks, the insecure certificate and signature verification processes it uses to check incoming files can return valid responses even after failure, and more.

A Silver Lining

There are two bits of good news, though.

For one thing, showcase.apk appears to be off by default. And, it turned out, iVerify researchers could only toggle it on when they had physical proximity to a targeted device (through mechanisms they would not disclose prior to any Google patch).

"The assumption that proximity to the device is required to activate it is truly the only thing standing between the adversary and the end user," explains Cole who, besides Google, also formerly worked as an NSA analyst. "If you overcome that barrier — and I can think of a few ways that you might — what you essentially have is an undetectable, persistent spiral."

This would be of most concern to high-risk users. "At Palantir, for example, a lot of their customers work in really contested spaces. They're on the front lines of not just digital conflict, but actual, kinetic, real world conflict. And a lot of national security capabilities are built on Android. And so this vulnerability would be the perfect second or third stage of a mobile exploit chain," he says.

As an example of where showcase.apk could fit into a wider attack chain, he points to Operation Triangulation. "The exploit chain on that was 10 or 12 steps long — think about showcase.apk as fitting somewhere in the middle to the end of that."

Not Planned for Google Pixel 9

Thus far, no evidence suggests that showcase.apk has been exploited in the wild.

In statements to the press, Google spokespeople have indicated that the upcoming Google Pixel 9 will not include the package at all. For existing Pixels, Google is reportedly working on an update to be released "in the coming weeks." Until then, Pixel owners at high risk can do little more than protect their phones physically, to make difficult the initial methods of intrusion which pave the way for showcase.apk abuse.

Dark Reading has reached out to Google for more information about any upcoming fixes.

A Verizon spokesperson provided a statement, saying: "We are aware of a potential vulnerability specific to a capability that enables in-store demos of Android devices. This capability is no longer being used by Verizon in stores, and is not used by consumers. We have seen no evidence of any exploitation of this. Out of an abundance of precaution, Android OEMs will be removing this demo capability from all supported devices."

Meantime, to Cole, there's a broader issue at play. "Take CrowdStrike -  and to be clear, I love Crowdstrike, this is just a learning for the industry as a whole - it's wittingly placed there by the end user. If you buy CrowdStrike, you agree to have third-party software running at the kernel level on your machines. What's different about Showcase.apk is that no end user ever gets the [option] other than to just accept Pixel's Terms of Service. It's a take it or leave it proposition — you either accept the bloatware or you don't use Pixel," he explains.

"The lesson here," he concludes, "is it's probably risky to push third-party software so deep in the operating system without giving users the ability to remove it."

This story was updated at 5:28pm ET to include comment received from Verizon.