Pixel 2 and later phones banned at a company after dangerous uninstallable app was discovered
iVerify shared its findings with The Washington Post, which reports that Google’s master software for Pixel phones included a feature that gave Verizon sales staff deep access to the devices to help with demos.
This feature has security flaws. This came to light after Verify’s endpoint detection and response (EDR) scanner revealed an insecure Android device at Palantir Technologies, an iVerify client that makes defense software solutions for the US army.
When the matter was investigated by iVerify, Palantir, and Trail of Bits, it was discovered that Google’s Pixel devices contained a hidden Android app called Showcase, developed by software maker Smith Micro. For a third-party app, it has a disturbingly high level of privilege
iVerify researchers suspect that other Android devices may also have the app.
Showcase is an otherwise dormant app that can be enabled by cybercriminals remotely, though Google denies that and says physical possession and user password would be required for exploitation of the app.
When Showcase is active, it downloads instructions from an insecure website. Hackers can intercept the data that is transmitted and even send malicious spying instructions instead.
It cannot be deleted from phones by users, which means millions of Pixel devices out there are susceptible to man-in-the-middle attacks.
Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update.
Ed Fernandez, Google spokesperson, August 2024
Mobile security is a very real concern for us, given where we’re operating and who we’re serving. This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally.
Dane Stuckey, Palantir CEO, August 2024
Source link