Google Pixel devices carry Android app that can be exploited to execute code

Millions of Google Pixel devices shipped since September 2017 contain a pre-installed Android app, "Showcase.apk," which enables remote code execution. Researchers from iVerify report that the app, originally intended for in-store demonstrations, possesses excessive system-level privileges. These privileges allow it to remotely execute code and install packages, exposing affected devices to potential exploitation.

The app’s critical flaw lies in its retrieval of a configuration file via unsecured HTTP from a single AWS-hosted domain, exposing it to man-in-the-middle (MITM) attacks. Threat actors could tamper with the configuration file, injecting malicious code that executes with system-level privileges, leading to complete device takeover and potential large-scale data breaches.

Key issues include:

• The app runs with excessive privileges, such as remote code execution and package installation.
• It fetches its configuration file from an unsecured HTTP connection, allowing easy manipulation by attackers.
• The configuration retrieval process lacks verification for domain authenticity, enabling threat actors to exploit this flaw without user interaction.

While the app is disabled by default, it can be activated through various methods, including those that require physical access to the device. The app cannot be uninstalled through standard processes, and Google has yet to issue a patch or removal solution. Although no active exploitation has been reported, this backdoor vulnerability has raised concerns, leading organizations like Palantir Technologies to phase out Android devices in favor of more secure alternatives.

Google has acknowledged the issue but clarified that it is not a flaw in Android or Pixel itself. The company plans to remove the app in an upcoming software update for all supported Pixel devices. They are also working to notify other Android OEMs that may be affected.