Exploitable bloatware puts millions of Google Pixel users at risk
What's the story
Mobile phone security firm, iVerify, has identified a significant vulnerability in Google's Pixel smartphones. The flaw is linked to a third-party software named "Showcase.apk," which has been present in a large number of Pixel devices since September 2017. This software was initially developed for Verizon to display Pixel phones in demo mode at retail outlets.
Functionality
Bloatware vulnerability in Google Pixel phones: How it works
The Showcase software operates by downloading a configuration file over an unencrypted web connection. Due to its deep system access, this process could potentially enable malicious actors to remotely execute code or install packages on the device. This vulnerability is particularly concerning as users cannot remove the Showcase software from their devices.
Activation
iVerify's findings on the bloatware vulnerability
While the Showcase software is not active by default, iVerify suggests that there could be several methods to activate it. The security firm first alerted Google about this vulnerability in May. However, there has been no confirmed evidence of this flaw being exploited in real-world scenarios so far.
Update
Google's response to the bloatware vulnerability
In response to iVerify's findings, a Google spokesperson has confirmed that Verizon no longer uses the Showcase software. The tech giant is also planning a software update designed to remove this software from all Pixel devices in the coming weeks. The representative further clarified that the newly launched Google Pixel 9 series of smartphones does not contain the risky software.