Re: Washington Post says Google sold Android phones with hidden insecure feature

Jeff Layman wrote on Thu, 15 Aug 2024 22:31:17 +0100 :

I assume that showcase.apk was removed when grapheneOS was installed as
that is intended for use in Pixel phones.

You're correct that "showcase.apk" seems to be the culprit, according to
this news article about the Pixel flaw which shipped since 2017 apparently.
 *Researchers claim most Google Pixel phones shipped with exploitable bloatware since 2017*
 <https://www.engadget.com/mobile/smartphones/researchers-claim-most-google-pixel-phones-shipped-with-exploitable-bloatware-since-2017-185926564.html>

 "The issue relates to "Showcase.apk," a bit of software made for
  Verizon and used to put Pixel devices in demo mode while displayed
  in retail stores.

  The software downloads a configuration file over an unencrypted
  web connection, which - because of Showcase's deep access - might
  allow bad actors to perform remote code execution or remote
  package installation on the device.

  The especially troubling part of this discovery is that Showcase
  can't be uninstalled at the user level. And while it is not
  enabled by default, iVerify said there could be multiple ways
  to activate the software. iVerify alerted Google to the
  vulnerability in May; thus far there's no confirmed evidence
  it's been exploited in the wild.

  A Google spokesperson told Wired that Showcase is no longer being
  used by Verizon and that Google would have a software update to
  remove the software from all Pixel devices in the coming weeks.

  Additionally, the rep said Showcase is not present in the line
  of Google Pixel 9 devices announced during the Made by Google
  event this week."