iVerify shared its findings with The Washington Put up, which reviews that Google’s grasp software program for Pixel telephones included a function that gave Verizon gross sales workers deep entry to the gadgets to assist with demos.
This function has safety flaws. This got here to gentle after Confirm’s endpoint detection and response (EDR) scanner revealed an insecure Android system at Palantir Applied sciences, an iVerify consumer that makes protection software program options for the US military.
When the matter was investigated by iVerify, Palantir, and Path of Bits, it was found that Google’s Pixel gadgets contained a hidden Android app known as Showcase, developed by software program maker Smith Micro. For a third-party app, it has a disturbingly excessive degree of privilege
iVerify researchers suspect that different Android gadgets might also have the app.
Showcase is an in any other case dormant app that may be enabled by cybercriminals remotely, although Google denies that and says bodily possession and person password could be required for exploitation of the app.
When Showcase is energetic, it downloads directions from an insecure web site. Hackers can intercept the info that’s transmitted and even ship malicious spying directions as a substitute.
It can’t be deleted from telephones by customers, which suggests tens of millions of Pixel gadgets on the market are prone to man-in-the-middle assaults.
Out of an abundance of precaution, we shall be eradicating this from all supported in-market Pixel gadgets with an upcoming Pixel software program replace.
Ed Fernandez, Google spokesperson, August 2024
Cell safety is a really actual concern for us, given the place we’re working and who we’re serving. This was very deleterious of belief, to have third-party, unvetted insecure software program on it. We do not know the way it received there, so we made the choice to successfully ban Androids internally.
Dane Stuckey, Palantir CEO, August 2024
