Google Pixel Phones Have a Vulnerability That Can Give Hackers High-Level Device Access

  • Cybersecurity firm iVerify found a vulnerability in Google Pixel apps that has existed since 2017 and could be affecting millions of users.
  • The vulnerability was found in a pre-installed app called Showcase.apk that was used for turning on the demo mode in the device for in-store displays.
  • The vulnerability has already been addressed by Google and it said that a patch is on the way.

Pixel Phones’ Vulnerability Can Give Hackers High-Level Access

A serious vulnerability has been discovered in a pre-installed Google Pixel app that could affect millions of users. The discovery was made by cybersecurity firm iVerify who published a complete report on it.

The vulnerability lies within a pre-installed Android app called Showcase.apk developed by Smith Micro. It was used to enable demo mode in devices for in-store display.

Initially not a part of the Android firmware, it was later embedded in it at the request of Verizon (the mobile carrier).

The app is very powerful with high system privileges. If compromised, threat actors can use it to execute remote codes or install malicious packages on the device.

However, before this app can be compromised, there needs to be an entry point. This entry point is provided by the way Showcase.apk communicates with its host.

‘“The application downloads a configuration file over an insecure connection and can be manipulated to execute code at the system level’ – iVerify’s report

In simple terms, the app retrieves its configuration file from a single US-based domain hosted on Amazon Web Services (AWS) over an unsecured HTTP connection. This insecure connection makes the files in transit vulnerable to interception, thus risking the device.

Google Is Already Working on a Fix

The vulnerability is present in many devices that have been shipped since 2017. So the total number of users at risk could be in the millions. But the good news is, a fix is already underway.

  • Google has addressed the issue and said that it will soon release a patch for all “supported in-market Pixel devices” in a few weeks.
  • This doesn’t include the Pixel 9 series because when tested, none of the four models in the series had this vulnerability.
  • Verizon has also been notified about the vulnerability. Although it no longer uses the app and didn’t get any evidence of ongoing exploitation, it has still decided to remove the function from all the devices it supports just to be extra safe.
  • Lastly, Google also said that this isn’t an issue with Pixel phones or Android. The problem lies with Smith Micro.
  • So Google has also decided to notify other Android manufacturers since third-party devices might also have this problem.

The good news – so far there is no indication that the vulnerability has been exploited. It’s probably because no threat actors are aware of it or because the app is not enabled by default.

But now that the news is public, let’s just hope that Google’s fix reaches before any malicious actor can exploit the flaw.

The Tech Report - Editorial ProcessOur Editorial Process

The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.

Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here

Related Posts
Accenture’s Kelly Brough Says IT Is Bringing Pragmatism to Australia’s AI Projects thumbnail

Accenture’s Kelly Brough Says IT Is Bringing Pragmatism to Australia’s AI Projects

Image: ArieStudio/Adobe Stock Kelly Brough, director of applied intelligence at Accenture Australian enterprises are moving into a “readiness” phase of generative artificial intelligence adoption and will be relying on IT leaders to work with internal and external partners to bring their expansive vision to life, said Accenture’s Director of Applied Intelligence Kelly Brough. With the
Read More
IT admins can now delay Windows 11 feature updates thumbnail

IT admins can now delay Windows 11 feature updates

Serving tech enthusiasts for over 25 years. TechSpot means tech analysis and advice you can trust. Bottom line: Recent versions of Windows have been notorious for forcing updates (did I ever tell you about when an automatic Windows update bricked my car?). However, Microsoft has gradually given users more control over installing new versions. Now, enterprise administrators
Read More
Index Of News
Total
0
Share