Skip to main content

Digital Trends may earn a commission when you buy through links on our site. Why trust us?

Security experts just found a massive flaw with Google Pixel phones

A person holding the Google Pixel 8 Pro.
Google Pixel 8 Pro Andy Boxall / Digital Trends

Google is patching a serious firmware-level vulnerability that has been present on millions of Pixel smartphones sold worldwide since 2017. “Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update,” the company told The Washington Post.

The issue at heart is an application package called Showcase.apk, which is an element of Android firmware that has access to multiple system privileges. Ordinarily, an average smartphone user can’t enable or directly interact with it, but iVerify’s research proved that a bad actor can exploit it to inflict some serious damage.

“The vulnerability makes the operating system accessible to cybercriminals to perpetrate man-in-the-middle attacks, malware injections, and spyware installations,” according to the company. The security firm revealed that the flaw opens the doors for remote code execution and remote package installation.

That means a bad actor can install malware on a target device without having physical access to it. Cybercriminals can subsequently launch various forms of attack depending on the malware injected, which includes, but is not limited to, stealing sensitive data or system takeover.

The core issue is that Showcase.apk downloads configuration assets over an unsecured HTTP connection, leaving it vulnerable to malicious actors. What makes it scarier is that users can’t directly uninstall it like they can remove other apps stored on their phones.

A very Pixel problem

The Google Pixel 8a's screen.
Andy Boxall / Digital Trends

So, how does the Google Pixel factor in the whole sequence, and not every Android phone on the planet? Well, the Showcase.apk package comes preinstalled in the Pixel firmware and is also a core component of the OTA images that Google publicly releases for installing software updates — especially during the early development process.

iVerify notes that there are multiple ways a hacker can enable the package, even though it is not active by default. Google could face some serious heat following the disclosures for multiple reasons.

First, iVerify says it notified Google about its alarming discovery 90 days before going public, but Google didn’t provide an update on when it would fix the flaw — leaving millions of Pixel devices sold worldwide at risk. Second, one of the devices flagged as unsecured was in active use at Palantir Technologies, an analytics company recently awarded a contract worth about half a billion dollars by the U.S. Department of Defense to make computer vision systems for the U.S. Army.

The Google Pink 9 in its pink color.
Joe Maring / Digital Trends

Now, just for the sake of clarity, it’s not Showcase.apk itself that is problematic. It’s the way that it downloads configuration files over an unsecured HTTP connection that was deemed an open invitation for hackers to snoop in. To give you an idea of the threat, Google’s Chrome browser warns users every time they visit a website using the old HTTP protocol instead of the safer HTTPS architecture.

After publishing this story, a Google spokesperson sent the following statement to Digital Trends for further clarification about the whole situation:

“This is not an Android platform, nor Pixel vulnerability, this is an APK developed by Smith Micro for Verizon in-store demo devices and is no longer being used. Exploitation of this app on a user phone requires both physical access to the device and the user’s password. We have seen no evidence of any active exploitation. Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android [manufacturers].”

This is serious

The Google Pixel 9 Pro XL next to the Google Pixel 8 Pro.
Ajay Kumar / Digital Trends

Irrespective of the threat vehicle, what could land Google in trouble is that at-risk Pixel smartphones were in active usage by a defense contractor, which could theoretically put national security at risk. It’s not hard to imagine why.

Just look at how TikTok has been banned for federal employees in multiple states, citing similar national security concerns. “It’s really quite troubling. Pixels are meant to be clean. There is a bunch of defense stuff built on Pixel phones,” Dane Stuckey, chief information security officer at Palantir, told The Post.

The app was made by Smith Micro for telecom giant Verizon to set phones into demo mode for retail stores. Moreover, since the app itself doesn’t contain any malicious code, it’s nigh impossible for antivirus apps or software to flag it as such. Google, on the other hand, says exploiting the flaw would require physical access and knowledge of the phone’s passcode.

iVerify, however, has also raised questions about the app’s widespread presence. When it was developed for demo units at Verizon’s request, why was the package part of Pixel firmware on devices, not just those destined for the carrier’s inventory?

Following the security audit, Palantir effectively removed all Android devices from its fleet and has shifted exclusively to iPhones, a transition that will reach completion over the next few years. Thankfully, there has been no evidence of the Showcase.apk vulnerability being exploited by bad actors.

Nadeem Sarwar
Nadeem is a tech journalist who started reading about cool smartphone tech out of curiosity and soon started writing…
Forget the Pixel 9 Pro. Here’s why I’m keeping my Pixel 7 Pro
Someone holding the Google Pixel 7 Pro.

Another year, another Pixel. Well, in this case, four new Pixels -- without including the Google Pixel 9a, which may arrive later this year. The Made by Google August event for 2024 introduced a mighty four new phones to the Pixel brand, the Google Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, and Pixel 9 Pro Fold.

All four have the usual upgrades you'd expect from a new model of any smartphone, but there's a much more unwelcome surprise lurking beneath the shiny spec sheets: another price increase. The Pixel 9 and Pixel 9 Pro XL cost $100 more than the Pixel 8 and Pixel 8 Pro -- which were already $100 more expensive than the Pixel 7 and Pixel 7 Pro. Yes, that means Google has increased its prices for two years running.

Read more
Google just launched these 5 new features for your Android phone
The display on the Google Pixel 9 Pro XL.

Google is bringing a handful of new features to Android phones, including tools to keep users safe during a natural disaster, enhancements to accessibility using AI, and easier music discovery. Simultaneously, the company has reached a critical milestone with Android 15, pushing it closer to its public release in the coming weeks.
Keeping users safe during earthquakes

Google says its remarkable earthquake alert system is now available to users across all American states and territories. It plans to reach the entire target base within the next few weeks. Google has been testing the system, which also relies on vibration readings collected from a phone’s accelerometer, since 2020.

Read more
Android 15 has reached a turning point
Android 15 logo on a Google Pixel 8.

Google is finally pushing Android 15 to the Android Open Source Project (AOSP), marking a crucial milestone when companies begin prepping their respective software experiences for their smartphones and developers start fine-tuning their apps. As far as a public release, the stable public build of Android 15 will be released for compatible Pixel phones in the coming weeks.

Android 15 will also make its way to “devices from Samsung, Honor, iQOO, Lenovo, Motorola, Nothing, OnePlus, Oppo, Realme, Sharp, Sony, Tecno, Vivo and Xiaomi in the coming months,” says Google. If you have a Pixel phone, you can install the Android 15 QPR1 Beta update to get a taste of what’s coming.

Read more