An outdated but irremovable application built into the firmware of all Google Pixel phones could act as a perfect malicious backdoor.

“Showcase.apk” was designed by Pittsburgh-based Smith Micro specifically for Pixel devices on display in Verizon stores. Somehow it ended up pre-installed on every Pixel phone sent since at least September 2017 — millions all over the worldin every model except the very first, even those not serviced by Verizon. Dark Reading has reached out to Verizon for information on how this happened.

That’s bad news, iVerify noted in a report yesterday, as the app has significant privileges and the ability to all kinds of malicious functionsAnd because it’s in the phone’s base image, no one but Google can get rid of it.

Showcase.apk is not OK

Earlier this year, iVerify discovered a vulnerability in an Android device used by Palantir Technologies, the big data company that contracts with government intelligence and defense agencies. Their investigation led to showcase.apk, a now-deprecated Android Package File (APK) that Verizon Wireless contracted for use in its demo devices.

There were many elements of this app that remain shrouded in mystery to this day, such as why it was installed on anything other than the phones in Verizon stores and why it was so unnecessarily privileged. The app inherits “excessive” system-like privileges for no apparent reason. These privileges can be used to, among other things, execute commands in a shell environment or install arbitrary packages.

“You can use your imagination for how it can be used,” says Rocky Cole, co-founder and COO of iVerify, himself a former Google employee. “It has the ability to control the device — like turning the camera on and off, reading text messages and emails — as part of the core functionality of the demo store.”

It doesn’t help that the package is riddled with vulnerabilities. It communicates with a command-and-control (C2) domain and downloads files over insecure HTTP, opening the door to man-in-the-middle (MITM) attacks, the insecure certificate and signature verification processes it uses to check that incoming files can return valid responses even after a failure, and more.

A bright spot

There is, however, also good news.

First, showcase.apk appears to be turned off by default. And it turns out that iVerify researchers could only turn it on when they were physically near a target device (via mechanisms they chose not to disclose until a Google patch).

“The assumption that proximity to the device is required to activate it is really the only thing standing between the adversary and the end user,” explains Cole, who in addition to working for Google also worked as an NSA analyst. “If you overcome that barrier — and I can think of a few ways you could do that — you essentially have an undetectable, persistent spiral.”

This would be of greatest concern for high-risk users. “At Palantir, for example, a lot of their customers are in really contested spaces. They’re on the front lines of not just digital conflicts, but actual, kinetic, real-world conflicts. And a lot of national security capabilities are built on Android. And so this vulnerability would be the perfect second or third stage of a mobile exploit chain,” he says.

As an example of where showcase.apk could fit into a broader attack chain, he cites Operation Triangulation“The exploit chain was 10 or 12 steps long. Think of showcase.apk, which fits somewhere in the middle or at the end of that.”

Not planned for Google Pixel 9

So far, there is no evidence that showcase.apk has been abused in the wild.

In statements to the press, Google spokespeople have indicated that the upcoming Google Pixel 9 will not include the package at all. For existing Pixels, Google is reportedly working on an update will be released “in the coming weeks.” Until then, high-risk Pixel owners can do little more than physically protect their phones and thwart initial break-in methods that pave the way for showcase.apk abuse.

Dark Reading has contacted Google for more information on upcoming fixes.

And for Cole, there’s a broader problem at play. “Take CrowdStrike: it’s there intentionally by the end user. When you buy CrowdStrike, you’re agreeing to third-party software running on your machines at the kernel level. What’s different about Showcase.apk is that no end user ever gets the (option) other than to simply accept the Pixel Terms of Service. It’s a take it or leave it situation — you either accept the bloatware or you don’t use the Pixel,” he explains.

“The lesson here,” he concludes, “is that it’s probably risky to implement third-party software so deeply into the operating system without giving users the ability to remove it.”