- Cybersecurity firm iVerify found a vulnerability in Google Pixel apps that has existed since 2017 and could be affecting millions of users.
- The vulnerability was found in a pre-installed app called Showcase.apk that was used for turning on the demo mode in the device for in-store displays.
- The vulnerability has already been addressed by Google and it said that a patch is on the way.
A serious vulnerability has been discovered in a pre-installed Google Pixel app that could affect millions of users. The discovery was made by cybersecurity firm iVerify who published a complete report on it.
The vulnerability lies within a pre-installed Android app called Showcase.apk developed by Smith Micro. It was used to enable demo mode in devices for in-store display.
Initially not a part of the Android firmware, it was later embedded in it at the request of Verizon (the mobile carrier).
The app is very powerful with high system privileges. If compromised, threat actors can use it to execute remote codes or install malicious packages on the device.
However, before this app can be compromised, there needs to be an entry point. This entry point is provided by the way Showcase.apk communicates with its host.
‘“The application downloads a configuration file over an insecure connection and can be manipulated to execute code at the system level’ – iVerify’s report
In simple terms, the app retrieves its configuration file from a single US-based domain hosted on Amazon Web Services (AWS) over an unsecured HTTP connection. This insecure connection makes the files in transit vulnerable to interception, thus risking the device.
Google Is Already Working on a Fix
The vulnerability is present in many devices that have been shipped since 2017. So the total number of users at risk could be in the millions. But the good news is, a fix is already underway.
- Google has addressed the issue and said that it will soon release a patch for all “supported in-market Pixel devices” in a few weeks.
- This doesn’t include the Pixel 9 series because when tested, none of the four models in the series had this vulnerability.
- Verizon has also been notified about the vulnerability. Although it no longer uses the app and didn’t get any evidence of ongoing exploitation, it has still decided to remove the function from all the devices it supports just to be extra safe.
- Lastly, Google also said that this isn’t an issue with Pixel phones or Android. The problem lies with Smith Micro.
- So Google has also decided to notify other Android manufacturers since third-party devices might also have this problem.
The good news – so far there is no indication that the vulnerability has been exploited. It’s probably because no threat actors are aware of it or because the app is not enabled by default.
But now that the news is public, let’s just hope that Google’s fix reaches before any malicious actor can exploit the flaw.
Our Editorial Process
The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.
Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here
HotHands Hand Warmer Value Pack(10 Count)
$5.99 (as of October 16, 2024 18:37 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Apple AirTag 4 Pack
$76.78 (as of October 16, 2024 18:37 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Frida Baby 3-in-1 Cool Mist Humidifier for Baby with Diffuser + Nightlight, Baby Humidifier for Bedroom, Nursery + Large Rooms, Quiet, Auto Shut Off, Runs +24hrs
$44.97 (as of October 16, 2024 18:43 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
3 in 1 Winter Closing Kit - Pool Winterizing Kit for Above Ground Pool and inground Pools, Easy to Use - Up to 30,000 Gallon
$30.99 (as of October 16, 2024 18:41 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
