Vulnerability leaves millions of Android devices susceptible to man-in-the-middle (MITM) attacks and other dangerous malware and spyware.

NEW YORK CITY, August 15, 2024 – iVerify, the leader in advanced mobile endpoint detection and response (EDR) solutions, today announced the discovery of a serious Android security vulnerability that impacts millions of Pixel devices globally. The vulnerability makes the operating system accessible to cybercriminals to perpetrate man-in-the-middle attacks, malware injections, and spyware installations. The potential impact of this Android security vulnerability is unknown and could result in millions of dollars in data loss and breaches.

iVerify, in concert with the information security team at Palantir Technologies, initially identified and investigated a vulnerability in an Android app package called Showcase.apk. The application runs at the system level and can fundamentally change the phone's operating system. Since the application package is installed over unsecured HTTP protocols, this opens a backdoor, making it easy for cybercriminals to compromise the device. iVerify notified Google of the vulnerability and submitted a detailed report after discovering it on customer devices that did not pass iVerify's behavior-based detections. It's unclear if Google will issue a patch or remove the software from the phones to mitigate the potential risks.

Furthermore, users cannot remove this app because it is part of the firmware image, and Google does not allow end-users to alter the firmware image for security reasons. 

"While we don't have evidence this vulnerability is being actively exploited, it nonetheless has serious implications for corporate environments, with millions of Android phones entering the workplace every day," said Rocky Cole, Co-founder and Chief Operations Officer of iVerify. "Google is essentially giving CISOs the impossible choice of accepting insecure bloatware or banning Android entirely."

Cybercriminals can use vulnerabilities in the app's infrastructure to access system privileges and take over devices to perpetrate cybercrime and breaches. Cybercriminals could then leverage this app to distribute malicious Android packages and remote code, and configure files to compromise the app development chain and alter the app's functionality. 

“We're supporting some of the most important institutions in the Western world. Google embedding third-party software in Android’s firmware without reviewing the quality or security of these apps, and not disclosing this to vendors or users, creates significant security vulnerability to anyone who relies on this ecosystem.” said Dane Stuckey, the Chief Information Security Officer of Palantir Technologies. 

The Android package, "Showcase.apk," was found on a very large percentage of Pixel devices shipped worldwide since September 2017. Google shipped about 10 million Pixels worldwide in 2023 in North America, which is about 3% of all smartphone sales in 2023. 

Since this app is not inherently malicious, most security technologies cannot detect it as malicious. iVerify mobile EDR solution can scan these devices to detect if vulnerabilities exist and, through conditional access, prevent non-compliant, vulnerable, and malware-infected devices from accessing critical data and services.

Read the full report summary here.

About iVerify

iVerify believes users shouldn't have to sacrifice privacy for security. Our easy-to-deploy solution provides fleet-wide iOS and Android security telemetry without requiring a management profile on the device, allowing users to keep their personal data private and secure their mobile devices from advanced malware, vulnerabilities, and targeted smishing attacks. Learn more at iVerify.io. 

Media Contact

press@iverify.com