Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
65,005
33,194


Some Android smartphones have been found to contain a hidden security vulnerability that could allow remote access to user data, alarming cybersecurity experts and leading to a halt in the use of these devices by a major intelligence contractor, The Washington Post reports.

Google-Logo-Feature-Slack.jpg

The vulnerability, identified by the security firm iVerify, involves a pre-installed application known as Showcase.apk, which, though dormant by default, can be activated to potentially allow unauthorized remote access to the devices. The Showcase.apk application was discovered within certain models of Android phones, including Google Pixel devices.

According to iVerify, the application appears to have been designed for use in retail environments, allowing employees to demonstrate the device's features to customers. However, researchers found that when activated, the application could connect to a server via an unsecured "http" connection, making it vulnerable to interception by cybercriminals. This flaw could enable attackers to execute code remotely, potentially injecting malicious code or spyware and gaining access to sensitive data stored on the device.

Palantir Technologies, a data analysis platform vendor that often works with government agencies and other security-sensitive clients, expressed grave concerns about the implications of this vulnerability. The company has ceased the use of Android phones for their employees as a result.

The presence of this vulnerability on Pixel devices is particularly notable since they are known for receiving timely security updates directly from Google. Google has now announced that it will issue an update to remove the Showcase.apk application from all supported Pixel devices. Distributors of other Android phones will also be officially notified of the issue.

Article Link: Android Phones Exposed to Remote Access Vulnerability
 
  • Wow
Reactions: gusmula

now i see it

macrumors G4
Jan 2, 2002
11,142
23,892
Likely this was a hackable route for many many many many years.

Just goes to show — just because Google & Apple say their phones are secure — doesn’t mean they are. It just means that they aren’t aware of an existing vulnerability
 

surfsofa

macrumors member
Feb 20, 2004
75
157
Bay Area
Perhaps not surprising on an Apple fan site, but this article doesn’t mention that you need physical access to the device and the passcode to unlock it in order to exploit.

I use both iPhone and Pixel, because each is stronger than the other in certain areas. I will happily continue using my Pixel because it’s always with me.
 

AppliedMicro

macrumors 68030
Aug 17, 2008
2,698
3,639
A pre-installed application known as Showcase.apk, which, though dormant by default, can be activated to potentially allow unauthorized remote access to the devices” doesn’t even sound like a remote access vulnerability.
Presumably they’re referencing side loading and unregulated app stores.
Alternative app stores are regulated.

Crowdstrike messed up and Microsoft said those apis shouldn’t have been exposed to crowdstrike if not for EU mandate.
Administrator users can install software on operating systems like Windows or macOS that can potentially break things. API access or not.
 

AppliedMicro

macrumors 68030
Aug 17, 2008
2,698
3,639
It will be, when Apple has to expose same internals
They don’t have to.

This is a demo retail mode app with elevated privileges.

Having such apps with special privileges around (and in this case walking them from dormancy) is the real danger.
Security by obscurity as in “Apple has it but only thy knows about things” does not remedy that at all.
 

ACHD

macrumors regular
Jul 28, 2015
202
363
And yet Android users come into the iPhone forums to tell us how superior their platform is. :oops:
Apple is targeted all the time and their exploits are often sold on the black markets... neither platform is bullet proof xD

A LOT of it comes down to you being smart.

but iphone had multiple vulnerabilities where people could silent message you stuff and if your phones message app got it they effectively had control of your device.

It was so bad that companies introduced free apps and paid apps that would check for that kind of vulnerability to see if you had been affected since it left (visible) no trail behind.

They unlike apple at least acknowledged it quickly once notified and advised of a plan to rectify it
 

Analog Kid

macrumors G3
Mar 4, 2003
9,220
12,252
So, there's some bad practices at work here (retaining unused applications, http transactions) but this seems to be another potential vulnerability that only manifests at the end of a long chain of "it's possible"s.

I'm all for ridiculing bad security practices, but this seems to be a minor vulnerability in the grand scheme. The WaPo article suggests it requires physical access and a password to activate, and includes a mere hypothetical suggestion that a skilled hacker might activate it remotely.

Unless the iVerify report shows something more substantial, I'd just suggest people don't put their phones into store demo mode until the patch arrives.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.