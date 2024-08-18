Tech Report is one of the oldest hardware, news, and tech review sites on the internet. We write helpful technology guides, unbiased product reviews, and report on the latest tech and crypto news. We maintain editorial independence and consider content quality and factual accuracy to be non-negotiable.

Cybersecurity firm iVerify found a vulnerability in Google Pixel apps that has existed since 2017 and could be affecting millions of users. The vulnerability was found in a pre-installed app called Showcase.apk that was used for turning on the demo mode in the device for in-store displays.

The vulnerability lies within a pre-installed Android app called Showcase.apk developed by Smith Micro. It was used to enable demo mode in devices for in-store display.

Initially not a part of the Android firmware, it was later embedded in it at the request of Verizon (the mobile carrier).

The app is very powerful with high system privileges. If compromised, threat actors can use it to execute remote codes or install malicious packages on the device.

However, before this app can be compromised, there needs to be an entry point. This entry point is provided by the way Showcase.apk communicates with its host.

'“The application downloads a configuration file over an insecure connection and can be manipulated to execute code at the system level' - iVerify’s report

In simple terms, the app retrieves its configuration file from a single US-based domain hosted on Amazon Web Services (AWS) over an unsecured HTTP connection. This insecure connection makes the files in transit vulnerable to interception, thus risking the device.

Google Is Already Working on a Fix

The vulnerability is present in many devices that have been shipped since 2017. So the total number of users at risk could be in the millions. But the good news is, a fix is already underway.