Google Pixel’s software is one of its strong pointseven though it is not free of errors: problems with the mobile network, cell phones that do not turn on after a reset, bugs when accessing the internal memory … these are just some examples of the incidents encountered by users who own the device. experienced. Fortunately, the American giant has solved each of these problems, at the same time as it deploys its security patches in terms of security. Likewise, last June, seven critical vulnerabilities were corrected in a quarterly update.
However, they are now facing a very serious problem: iVerify has reported the existence of a pre-installed APK file in the Android software of Google phones and opens the door for malicious users to execute code and even install packages at will. Here’s what you need to know about it Serious vulnerability affecting the Google Pixel.
A factory APK with a lot of danger
As we read on the iVerify blog, earlier this year an Android device was flagged as insecure due to a set of apps: Showcase.apk. It is common for some companies dedicated to the security of our device to find flaws, but this one comes from an APK pre-installed in the firmware.
With it, it is possible to inject malicious code and spyware, leaving Android facing a great vulnerability. The company informed Google itself with an exhaustive vulnerability report. The origin of this APK is Smith Micro, a software company present in America, Europe, the Middle East and Africa: iVerify claims that this package was probably created to improve the sales of Google mobile phones in the United States. Verizon storesan American operator.
The main problem is that This is part of the Google Pixel firmware imagei.e. it is pre-installed. This was designed to retrieve configuration files via unsecured HTTP. This allows it to execute commands or system modules that could open a backdoor and compromise the device.
The APK is pre-installed but not activated. However, Google has confirmed that it will remove it in a future update
Because it is not dangerous in itself, it has never been detected by security tools like antiviruses. It is also not possible to uninstall it easily because it is installed in the system partition and, in theory, it should only serve to turn the phone into a demonstration device: in the style of what we see in some physical stores.
Android Police provides more details: the app is disabled at the factory, which would make it difficult for users to take any possible harmful action. That’s why Google is not marking this incident as a priority, and it’s unclear whether it could be activated remotely.
“We have only found one physical way to activate this, but there could be different ways for a potential remote attacker or someone already on the phone with malware to activate it and use it for privilege escalation,” Matthias Frielingsdorf, vice president of research at iVerify, said in a statement to Wired.
Of course, the question remains as to what sense Google makes in distributing this app on its Pixels if it’s only intended for demonstration in Verizon stores. Fortunately, a spokesperson for the American company itself confirmed to Wired that the app is no longer in use and will be removed from Pixels via a software update “in the coming weeks.” We will be keeping an eye on this update on our Google Pixel and will let you know when it arrives.
By | iCheck
Cover image | Iván Linares for Xataka (with editing)
In Xataka Android | What is malware, what are its types and what can you do if it infects your mobile
