Google Pixel Devices Sold Since 2017 with Verizon-Related Android Vulnerability

• Most Pixel devices have been shipped worldwide since 2017 with a problematic APK system file that lies dormant.
• It has excessive system privileges, permitting remote code execution and remote package installation.
• Security researchers established that Pixel and Android devices sold in Verizon stores were affected.

A Showcase.apk Android package was discovered to have excessive system privileges on a large number of Google Pixel devices sold worldwide since September 2017, a new iVerify security report said. This flaw left millions of users exposed to man-in-the-middle (MITM) attacks, malicious code, and spyware.

The dormant Verizon Retail Demo Mode app ("com.customermobile.preload.vzw") downloads the configuration file from a single US-based, AWS-hosted domain over an unsecured connection (HTTP instead of HTTPS), leaving the configuration and device vulnerable to remote code execution (RCE) and remote package installation.

The app requires over 30 permissions, including location and external storage. This critical flaw offers potential attackers system privileges on Android devices.

The APK is preinstalled on Pixel firmware and included in Google’s OTA image for Pixel devices. It was developed by Smith Micro, a company operating in the Americas and EMEA that tackles remote access, parental control, and data-clearing software, most probably for sales in Verizon stores. 

Since it runs at the system level, standard users cannot remove the app, and a patch is not available at this time. However, it is not enabled by default, and there is no evidence that it has ever been explored in the wild since the exploit requires both physical access to the device and the user's password.

The June 2024 Pixel update bulletin offered a fix for the CVE-2024-32896 Google Pixel vulnerability under active exploitation – an EoP issue in Pixel firmware exploited in targeted attacks as a zero-day.

In July, security researchers discovered a new flaw in Google Cloud Platform services involving Cloud Functions and the Cloud Build CI/CD pipeline that permits privilege escalation, allowing an attacker with access to Cloud Function to escalate the default Cloud Build service account privileges.