Most Google Pixel phones sold since September 2017 included software that could be used to surveil or remotely control users’ phones, according to a new report from the cybersecurity company iVerify.
The vulnerability was discovered after iVerify’s endpoint detection and response (EDR) scanner flagged an insecure Android device at Palantir Technologies, an iVerify client. After launching a joint investigation, iVerify, Palantir, and Trail of Bits discovered a hidden Android software package — Showcase.apk — across Google Pixel devices. The data-mining firm Palantir, which sells its surveillance products to governments and private companies, banned Android devices across the company in response.
“This was very deleterious of trust, to have third-party, unvetted insecure software on it,” Dane Stuckey, Palantir’s Chief Information Security Officer, told The Washington Post. “We have no idea how it got there, so we made the decision to effectively ban Androids internally.”
According to iVerify’s report, the software was developed by a company called Smith Micro Software and appears to have been created for Verizon for in-store demos. The app was inactive by default and had to be manually enabled, the iVerify report found. “When enabled, Showcase.apk makes the operating system accessible to hackers and ripe for man-in-the-middle attacks, code injection, and spyware,” the report reads. “The impact of this vulnerability is significant and could result in data loss breaches totaling billions of dollars.”
In a statement to the Post, Google spokesperson Ed Fernandez said the software was made “for Verizon in-store demo devices and is no longer being used.” Google did not immediately respond to The Verge’s request for comment.
iVerify told Google about its report in early May, according to Wired. The company had not publicly disclosed the vulnerability, nor has it released a software update to remove the problem. Fernandez, the Google spokesperson, told Wired Android would remove the app from all Pixel devices “in the coming weeks,” adding that Google hasn’t seen evidence of active exploitation of the software.
“It’s really quite troubling. Pixels are meant to be clean,” Stuckey, of Palantir, told the Post. “There is a bunch of defense stuff built on Pixel phones.”
