Security experts just found a massive flaw with Google Pixel phones | Tech Reader

Date:

Share:


Google is patching a serious firmware-level vulnerability that has been present on millions of Pixel smartphones sold worldwide since 2017. “Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update,” the company told The Washington Post.

The issue at heart is an application package called Showcase.apk, which is an element of Android firmware that has access to multiple system privileges. Ordinarily, an average smartphone user can’t enable or directly interact with it, but iVerify’s research proved that a bad actor can exploit it to inflict some serious damage.

“The vulnerability makes the operating system accessible to cybercriminals to perpetrate man-in-the-middle attacks, malware injections, and spyware installations,” says the company. The security firm revealed that the flaw opens the doors for remote code execution and remote package installation.

That means a bad actor can install malware on a target device without having physical access to it. Cybercriminals can subsequently launch various forms of attack depending on the malware injected, which includes, but is not limited to, stealing sensitive data or system takeover.

The core issue is that Showcase.apk downloads configuration assets over an unsecured HTTP connection, leaving it vulnerable to malicious actors. What makes it scarier is that users can’t directly uninstall it like they can remove other apps stored on their phones.

A very Pixel problem

Andy Boxall / Tech Reader

So, how does the Google Pixel factor in the whole sequence, and not every Android phone on the planet? Well, the Showcase.apk package comes preinstalled in the Pixel firmware and is also a core component of the OTA images that Google publicly releases for installing software updates — especially during the early development process.

iVerify notes that there are multiple ways a hacker can enable the package, even though it is not active by default. Google could face some serious heat following the disclosures for multiple reasons.

First, iVerify says it notified Google about its alarming discovery 90 days before going public, but Google didn’t provide an update on when it would fix the flaw — leaving millions of Pixel devices sold worldwide at risk. Second, one of the devices flagged as unsecured was in active use at Palantir Technologies, an analytics company recently awarded a contract worth about half a billion dollars by the U.S. Department of Defense to make computer vision systems for the U.S. Army.

Now, just for the sake of clarity, it’s not Showcase.apk itself that is problematic. It’s the way that it downloads configuration files over an unsecured HTTP connection that was deemed an open invitation for hackers to snoop in. To give you an idea of the threat, Google’s Chrome browser warns users every time they visit a website using the old HTTP protocol instead of the safer HTTPS architecture.

This is serious

The Google Pixel 9 Pro XL next to the Google Pixel 8 Pro.
Ajay Kumar / Tech Reader

Irrespective of the threat vehicle, what could land Google in trouble is that at-risk Pixel smartphones were in active usage by a defense contractor, which could theoretically put national security at risk. It’s not hard to imagine why.

Just take a look at how TikTok has been banned for federal employees in multiple states, citing similar national security concerns. “It’s really quite troubling. Pixels are meant to be clean. There is a bunch of defense stuff built on Pixel phones,” Dane Stuckey, Chief Information Security Officer at Palantir, told The Post.

The app was made by Smith Micro for telecom giant Verizon to set phones into demo mode for retail stores. Moreover, since the app itself doesn’t contain any malicious code, it’s nigh impossible for anti-virus apps or software to flag it as such. Google, on the other hand, says exploiting the flaw would require physical access and knowledge of the phone’s passcode.

iVerify, however, has also raised questions about the app’s widespread presence. When it was developed for demo units at Verizon’s request, why was the package part of Pixel firmware on devices, not just those destined for the carrier’s inventory?

Following the security audit, Palantir effectively removed all Android devices from its fleet and has shifted exclusively to iPhones, a transition that will reach completion over the next few years. Thankfully, there has been no evidence of the Showcase.apk vulnerability being exploited by bad actors.








Source link

━ more like this

NASA’s skywatching tips for December include a meteor shower

What's Up: December 2024 Skywatching Tips from NASA Table of Contents Table of Contents Planets Stars Meteors NASA’s back with its monthly update on what to look out for...

How to Write a Call Center Business Plan in 7 Steps

Writing a call center business plan helps you stay organized and forces you to think through your business model, financials, and company structure. You’ll...

The best Cyber Monday deals from Apple, Amazon, Target, Walmart, Best Buy and others

Cyber Monday 2024 is nearly over, but there are plenty of tech deals to consider if you’re looking for a few things for...

Peacock Cyber Monday streaming deal: Last chance to get a one-year subscription for only $20

Streaming deals are hard to come by nowadays, especially after all of the price hikes that have happened in recent months. But Cyber...

Cyber Monday Strategy: Should you save the full $466 on a complete Microsoft Surface Pro 11 for Cyber Monday?

A lot of Cyber Monday deals can give you a feeling of restriction. And by this, I mean there isn’t a lot of...
spot_img