Google Pixel phones sold with security vulnerability, report finds

Most Google Pixel phones sold since September 2017 included software that could be used to surveil or remotely control users’ phones, according to a new report from the cybersecurity company iVerify.

The vulnerability was discovered after iVerify’s endpoint detection and response (EDR) scanner flagged an insecure Android device at Palantir Technologies, an iVerify client. After launching a joint investigation, iVerify, Palantir, and Trail of Bits discovered a hidden Android software package — Showcase.apk — across Google Pixel devices. The data-mining firm Palantir, which sells its surveillance products to governments and private companies, banned Android devices across the company in response.

“This was very deleterious of trust, to have third-party, unvetted insecure software on it,” Dane Stuckey, Palantir’s chief information security officer, told The Washington Post. “We have no idea how it got there, so we made the decision to effectively ban Androids internally.”

According to iVerify’s report, the software was developed by a company called Smith Micro Software and appears to have been created for Verizon for in-store demos. The app was inactive by default and had to be manually enabled, the iVerify report found. “When enabled, Showcase.apk makes the operating system accessible to hackers and ripe for man-in-the-middle attacks, code injection, and spyware,” the report reads. “The impact of this vulnerability is significant and could result in data loss breaches totaling billions of dollars.”

In a statement to The Verge, Google spokesperson Ed Fernandez said the software was made “for Verizon in-store demo devices and is no longer being used,” adding that Google has “seen no evidence of any active exploitation.”

iVerify told Google about its report in early May, according to Wired. The company had not publicly disclosed the vulnerability, nor has it released a software update to remove the problem. Fernandez, the Google spokesperson, told Wired that Android would remove the app from all Pixel devices “in the coming weeks.”

“It’s really quite troubling. Pixels are meant to be clean,” Stuckey, of Palantir, told the Post. “There is a bunch of defense stuff built on Pixel phones.”