Last month, researchers uncovered a security flaw that affected a “very large percentage” of Pixel phones. Google’s new update, rolling out today, fixes that vulnerability.
Several weeks ago, online security firm iVerify published a blog detailing how the vast majority of Pixel phones shipped since 2017 contained software called showcase.apk. The software wasn’t intended for consumers but for Verizon store employees to show off Pixel phone features.
Also: Why the NSA advises you to turn off your phone once a week
The issue was that showcase.apk has very high system privileges and can even execute code and install software remotely. In theory, someone with malicious intentions could access the Amazon Web Services domain that powers the software and place malware or spyware on an unsuspecting person’s phone.
Since the app came pre-installed, users couldn’t remove it manually.
Today’s security update from Google removes showcase.apk entirely. The blog post doesn’t mention that software by name, only saying that there is “fix to remove third party APK to address security vulnerability.”
When iVerify discovered the exploit, Google said it had no evidence of anyone taking advantage of it. The problem was severe enough, though, that Palantir Technologies, the company that helped identify the security issue in the first place, banned use of Android devices.
Also: Worried about the YubiKey 5 vulnerability? Here’s why I’m not
An important caveat is that iVerify noted showcase.apk wasn’t enabled by default. “There might be multiple methods to enable it,” the report explained, but the “iVerify research team investigated one method requiring physical access.”
It seems likely this flaw would have been fairly tough for someone to exploit anyway, but Google is removing it regardless.
The update applies to the Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel Fold, and Pixel Tablet. The app wasn’t preloaded onto the Pixel 9 series.