Key Findings

• iVerify discovered an Android package, "Showcase.apk," with excessive system privileges, including remote code execution and remote package installation capabilities, on a very large percentage of Pixel devices shipped worldwide since September 2017
  
  

• The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level
  
  

• The application retrieves the configuration file from a single US-based, AWS-hosted domain over unsecured HTTP, which leaves the configuration vulnerable and can makes the device vulnerable
  
  

• The app vulnerability leaves millions of Android Pixel devices susceptible to man-in-the-middle (MITM) attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware
  
  

• Cybercriminals can use vulnerabilities in the app's infrastructure to execute code or shell commands with system privileges on Android devices to take over devices to perpetrate cybercrime and breaches
  
  

• Removal of the app is not possible through a user’s standard uninstallation process, and at this time, Google has not offered a patch for the vulnerability
  
  

• It appears that Showcase.apk is preinstalled in Pixel firmware and included in Google’s OTA image for Pixel devices
  
  

• The app is not enabled by default, but there might be multiple methods to enable it. The iVerify research team investigated one method requiring physical access

Overview 

Earlier this year, iVerify's EDR capability flagged an Android device at Palantir Technologies as unsecure, which launched an investigation in partnership with Palantir and Trail of Bits. The investigation revealed an Android application package, Showcase.apk, that is part of the firmware. When enabled, Showcase.apk makes the operating system accessible to hackers and ripe for man-in-the-middle attacks, code injection, and spyware. The impact of this vulnerability is significant and could result in data loss breaches totaling billions of dollars. iVerify notified Google with a detailed vulnerability report following their 90-day disclosure process. It's unclear when Google will issue a patch or remove the software from the phones to mitigate the potential risks.

The Showcase.apk package was developed by Smith Micro, a software company operating in the Americas and EMEA that provides software packages for remote access, parental control, and data-clearing tools. Smith Micro likely designed the package to enhance sales of Pixel and Android phones in Verizon stores. The app is part of the firmware image, so millions of Android Pixel phones worldwide could have this application running at the system level.

The application package is designed to retrieve a configuration file over unsecured HTTP. It allows the app to execute system commands or modules that could open a backdoor, making it easy for cybercriminals to compromise the device. Since this app is not inherently malicious, most security technology may overlook it and not flag it as malicious, and since the app is installed at the system level and part of the firmware image, it can not be uninstalled at the user level.

Notable Technical Analysis  

The Showcase.apk code runs at the system level and is designed to turn the phone into a demo device, which fundamentally changes the way the operating system works. It was notable because the application runs in a highly privileged context, which is unnecessary for the intended purpose of the application. Other notable characteristics of the application include:

• The application fails to authenticate or verify a statically defined domain during retrieval of the application’s configuration file. If the application already maintains a persistent configuration file, it is unclear if additional checks are in place to ensure the configuration parameters for command-and-control or file retrieval are up to date
  
  

• The application uses unsecure default variable initialization during certificate and signature verification, resulting in valid verification checks after failure
  
  

• The application's configuration file may be altered before retrieval or transit to the targeted phone
  
  

• The application fails to handle the condition where public keys, signatures, and certificates are not bundled in its resources; excluding these non-mandatory files may result in altogether bypassing the verification process during package or file download
  
  

• The application communicates insecurely with a predefined URL over HTTP to retrieve remote files and the application configuration file. The URL is constructed predictably

Conclusion

The Showcase.apk discovery and other high-profile incidents, like running third-party kernel extensions in Microsoft Windows, highlight the need for more transparency and discussion around having third-party apps running as part of the operating system. It also demonstrates the need for quality assurance and penetration testing to ensure the safety of third-party apps installed on millions of devices.

Further, why Google installs a third-party application on every Pixel device when only a very small number of devices would need the Showcase.apk is unknown. The concern is serious enough that Palantir Technologies, who helped identify the security issue, is opting to remove Android devices from its mobile fleet and transition entirely to Apple devices over the next few years. On most devices iVerify researchers analyzed, the app was inactive by default and had to be manually enabled. To avoid endangering users, we are redacting our way of enabling the app in the full report. There might be other ways to enable the app or situations where the app is enabled by default.

Full detailed reports of the vulnerability analysis and penetration testing can be downloaded here.