Millions of Google Pixel Devices Shipped with Vulnerable App, Putting Users at Risk

A significant number of Google's Pixel devices shipped worldwide since September 2017 have included dormant software that could potentially be exploited for malicious purposes, such as launching attacks or spreading malware.

The issue is linked to a pre-installed Android app called "Showcase.apk," which has excessive system privileges, including the ability to remotely execute code and install software on the device, as reported by mobile security firm iVerify.

According to an analysis published by iVerify in collaboration with Palantir Technologies and Trail of Bits, the app downloads a configuration file over an insecure connection, making it susceptible to manipulation that could allow code execution at the system level.

The app retrieves this configuration file from a U.S.-based domain hosted on AWS via unsecured HTTP, which makes the device vulnerable to potential attacks.

The problematic app, known as Verizon Retail Demo Mode ("com.customermobile.preload.vzw"), requires nearly three dozen different permissions, including access to location and external storage, based on data uploaded to VirusTotal in February. Posts on Reddit and XDA Forums indicate that this app has been present since August 2016.

The core issue lies in the app downloading the configuration file over an unencrypted HTTP connection instead of HTTPS, which exposes it to tampering during transmission. However, there is no evidence that this vulnerability has been exploited in the wild.

It's important to note that the app in question was not developed by Google. Instead, it was created by an enterprise software company called Smith Micro to enable demo mode on devices. While it’s unclear why third-party software is embedded directly into Android firmware, a Google representative clarified that Verizon required this application on all Android devices.

The presence of this app makes Android Pixel smartphones vulnerable to adversary-in-the-middle (AitM) attacks, allowing malicious actors to inject harmful code and spyware.

Although the app operates with high system-level privileges, it has several security flaws. It fails to authenticate or verify a statically defined domain when retrieving its configuration file and uses insecure default variable initialization during certificate and signature verification. These issues can lead to valid verification checks passing even after a failure.

However, the risk is somewhat mitigated by the fact that the app is not enabled by default. It can only be activated if an attacker has physical access to the device and developer mode is enabled.

Because the app isn't inherently malicious, it may go unnoticed by most security technologies and won’t be flagged as a threat. Additionally, since it’s installed at the system level as part of the firmware, users cannot uninstall it.

Google responded to these concerns by stating that the issue is not a vulnerability in the Android platform or Pixel devices themselves, but rather related to a package file developed for Verizon’s in-store demo devices. They emphasized that there is no evidence of active exploitation and that the app is no longer in use. Google plans to remove this app from all supported Pixel devices in an upcoming software update. It’s worth noting that this app is not present on Pixel 9 series devices, and other Android OEMs are also being notified.