Android vulnerability discovered affecting millions of Pixel devices worldwide
iVerify Discovers Android Vulnerability Impacting Millions of Pixel Devices Around the World
https://iverify.io/blog/iverify-discovers-android-vulnerability-impacting-millions-of-pixel-devices-around-the-world
In early 2024, iVerify's security tool, EDR , determined that 'Android devices used by Palantir Technologies were not secure.' So iVerify began an investigation in collaboration with Palantir and security company Trail of Bits . The investigation revealed the presence of an Android application package called 'Showcase.apk' that was part of the firmware.
Enabling Showcase.apk gives hackers access to the operating system, making it vulnerable to man-in-the-middle attacks , code injection , and spyware attacks. The impact of this vulnerability is significant, and could lead to billions of dollars in data loss, according to iVerify.
Showcase.apk was developed by Smith Micro, a software development company with operations in the Americas and EMEA that offers software packages such as remote access, parental control, and data erasure tools. iVerify points out that Smith Micro may have designed this application package to promote the sale of Pixel devices and Android smartphones in Verizon stores. Because Showcase.apk is part of the firmware image, it is said that Showcase.apk is running at the system level on millions of Pixel devices around the world.
The application package is designed to retrieve configuration files over insecure HTTP, which allows the app to execute modules with system commands that could open backdoors, making it easier for cybercriminals to infiltrate the device. Because the app is not inherently malicious, it will be missed by most security technologies and will not be flagged as malicious. Also, because Showcase.apk is part of the firmware image installed at the system level, users cannot uninstall it themselves.
The code in Showcase.apk runs at the system level and is designed to turn the device into a demo device, fundamentally altering the behavior of the operating system. It is also notable that the application runs in a privileged context that is 'unnecessary for the application's intended purpose,' according to iVerify.
Other notable features of Showcase.apk include:
Failing to authenticate or validate a statically defined domain while retrieving an application's configuration file. If the application already has a persistent configuration file, it is unclear whether additional checks are performed to ensure the command and control or file retrieval configuration parameters are up to date.
The application performs insecure default variable initialization during certificate and signature validation and a valid validation check is performed after the failure.
- The application's configuration files may be modified before being retrieved or transferred to the target phone.
The application cannot handle when public keys, signatures, and certificates are not bundled with resources. Excluding these non-essential files may result in the validation process being completely bypassed during package or file downloads.
The application communicates insecurely over HTTP to predefined URLs to retrieve remote files and application configuration files. The URLs are constructed in a predictable manner.
iVerify points out that 'this highlights the need for more transparency and discussion about running third-party apps as part of the operating system. It also shows the need for quality assurance and penetration testing to ensure the safety of third-party apps installed on millions of devices. ' In addition, it is unclear why Google is installing Showcase.apk on all Pixel devices, even though only a small number of devices require it.
iVerify has notified Google of the detailed vulnerability report after a 90-day disclosure process, but it is unclear whether Google will issue a patch to fix the potential risk or remove the software from phones.
Related Posts: