August 16, 2024 at 03:15AM
Dormant software in certain Google Pixel devices presents a vulnerability, allowing potential nefarious attacks and malware delivery. The issue stems from a pre-installed Android app with extensive system privileges, leaving devices susceptible to remote code execution. Despite being non-malicious, the app’s potential exploitation prompted Google to remove it from supported devices as a precaution.
Meeting Notes – Aug 16, 2024
Summary:
– Google’s own Pixel devices shipped globally since September 2017 included dormant software, “Showcase.apk,” with excessive system privileges, potential for nefarious attacks, and malware delivery.
– The app “Verizon Retail Demo Mode” by Smith Micro, embedded into Android firmware, has nearly three dozen permissions and is required by Verizon on Android devices, leaving Pixel smartphones susceptible to adversary-in-the-middle attacks.
– The issue stems from the app downloading a configuration file over unencrypted HTTP, making the device vulnerable to alteration during transit.
– Although the app is not enabled by default, its presence at the system level poses a potential threat with physical access to the target device and developer mode enabled.
– Google clarified that the vulnerability is related to a package file developed for Verizon in-store demo devices and assured its removal from supported in-market Pixel devices with an upcoming software update.
Key Actions:
– Google to remove the app from supported in-market Pixel devices with an upcoming software update.
– Google to notify other Android OEMs regarding the issue.