Every Google Pixel Phone Has a Verizon App that Doubles As a Backdoor

  /     /     /  
Publicated : 23/11/2024   Category : security


Every Google Pixel Phone Has a Verizon App that Doubles As a Backdoor


What is a Verizon Wireless demo store app doing on non-Verizon phones, and why is it a vehicle to an attacker?



UPDATED
A defunct yet unremovable application embedded in the firmware of all Google Pixel phones can function as a perfect malicious backdoor.
Showcase.apk was designed by Pittsburgh-based Smith Micro, specifically for Pixel devices on display at Verizon stores. Somehow, some way, it ended up
pre-installed in every Pixel phone
shipped since at least September 2017 —
millions around the globe
, across every model besides the very first, even in those not serviced by Verizon.
Thats bad news, iVerify noted in a report yesterday, as the app possesses significant privileges, and the capability to perform
all kinds of malicious functions
. And because it exists in the base image of the phone, theres no way for anyone but Google itself to get rid of it.
Earlier this year, iVerify identified an insecurity in an Android device used by Palantir Technologies, the big data company which contracts with government intelligence and defense agencies. Their investigation led to showcase.apk, a now obsolete Android Package File (APK) contracted by Verizon Wireless for use in its demo devices.
There were many elements of this app which remain shrouded in mystery to this day, such as why it was installed on anything besides the phones displayed in Verizon stores and why it was it so unduly privileged. The app inherits excessive system-like privileges for no discernible reason. It can use those privileges to run commands in a shell environment, or install arbitrary packages, among other things.
You can use your imagination for how it could be used, says Rocky Cole, Co-Founder & COO at iVerify, himself a former Google employee. It has the ability to control the device — like, turn the camera on and off, read text messages, emails, as part of its core demo store functionality.
It doesnt help, then, that the package is riddled with vulnerabilities. It communicates with a command-and-control (C2) domain and downloads files over unsecure HTTP, opening the door to man-in-the-middle (MITM) attacks, the insecure certificate and signature verification processes it uses to check incoming files can return valid responses even after failure, and more.
There are two bits of good news, though.
For one thing, showcase.apk appears to be off by default. And, it turned out, iVerify researchers could only toggle it on when they had physical proximity to a targeted device (through mechanisms they would not disclose prior to any Google patch).
The assumption that proximity to the device is required to activate it is truly the only thing standing between the adversary and the end user, explains Cole who, besides Google, also formerly worked as an NSA analyst. If you overcome that barrier — and I can think of a few ways that you might — what you essentially have is an undetectable, persistent spiral.
This would be of most concern to high-risk users. At Palantir, for example, a lot of their customers work in really contested spaces. Theyre on the front lines of not just digital conflict, but actual, kinetic, real world conflict. And a lot of national security capabilities are built on Android. And so this vulnerability would be the perfect second or third stage of a mobile exploit chain, he says.
As an example of where showcase.apk could fit into a wider attack chain, he points to
Operation Triangulation
. The exploit chain on that was 10 or 12 steps long — think about showcase.apk as fitting somewhere in the middle to the end of that.
Thus far, no evidence suggests that showcase.apk has been exploited in the wild.
In statements to the press, Google spokespeople have indicated that the upcoming Google Pixel 9 will not include the package at all. For existing Pixels, Google is reportedly
working on an update
to be released in the coming weeks. Until then, Pixel owners at high risk can do little more than protect their phones physically, to make difficult the initial methods of intrusion which pave the way for showcase.apk abuse.
Dark Reading has reached out to Google for more information about any upcoming fixes.
A Verizon spokesperson provided a statement, saying: We are aware of a potential vulnerability specific to a capability that enables in-store demos of Android devices. This capability is no longer being used by Verizon in stores, and is not used by consumers. We have seen no evidence of any exploitation of this. Out of an abundance of precaution, Android OEMs will be removing this demo capability from all supported devices.
Meantime, to Cole, theres a broader issue at play. Take CrowdStrike -  and to be clear, I love Crowdstrike, this is just a learning for the industry as a whole - its wittingly placed there by the end user. If you buy CrowdStrike, you agree to have third-party software running at the kernel level on your machines. Whats different about Showcase.apk is that no end user ever gets the [option] other than to just accept Pixels Terms of Service. Its a take it or leave it proposition — you either accept the bloatware or you dont use Pixel, he explains.
The lesson here, he concludes, is its probably risky to push third-party software so deep in the operating system without giving users the ability to remove it.
This story was updated at 5:28pm ET to include comment received from Verizon.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Every Google Pixel Phone Has a Verizon App that Doubles As a Backdoor