Android Phones Exposed to Remote Access Vulnerability

[MacBH928]

The vulnerability, identified by the security firm iVerify, involves a pre-installed application known as Showcase.apk, which, though dormant by default, can be activated to potentially allow unauthorized remote access to the devices.

AKA : they installed a backdoor to spy on people

I wonder if it is on the "Secure" OSs like Graphene and Calyx

 

[MacBH928]

I use both iPhone and Pixel, because each is stronger than the other in certain areas.

what is Pixel strong points for you?

 

[TLuc]

And yet Android users come into the iPhone forums to tell us how superior their platform is.

Well the article here is very poorly written and it implies it affects all Android smartphones when its just the Pixels that are confirmed as affect.
Here, a much better article.

Google will remove a carrier app from Pixel phones that left a 'troubling' security hole

A new report reveals that many Google Pixel phones sold over the past few years have a “Showcase” app installed...

9to5google.com

Showcase.apk is a carrier app created for Verizon to demo the phones in stores. Also this app doesn't come preloaded on the Pixel 9 for example. It will be a very quick and easy fix. Google doesn't sell many phones anyway, 0.00001% of Android users are potentially affected by this.

Also very important:

For end users, the level of risk here seems minimal. While the app is pre-installed on Pixel devices, it’s disabled by default, requiring physical access to the device (and the passcode) to enable it. And, in our brief testing, there’s no easy way to access the app

They actually tried to access the app and they couldn't

 

[TLuc]

Google will fix it on their phones but not on other Android phones.

Well only Pixels were confirmed to be affected anyway.

 

[TLuc]

Well I guess I shouldn't have pre-ordered the Google Pixel 9 Pro Extra-Large and Extra-Fabulous Rose Quartz model. 😩

...though to be fair, if cybercriminals did break in, all they'd find are my vast collection of cat memes. 🤪

Pixel 9 doesn't come preloaded with this apk, its not affected.
And even if it was, a simple updated to remove the app is all that's needed.

 

[AppliedMicro]

https://grapheneos.social/@GrapheneOS/112967309987371034

"Wired was manipulated into spreading misinformation to market Palantir and iVerify by misrepresenting a vulnerability in a disabled demo app as being a serious problem which could be exploited in the real world. They should retract the article but won't."

"iVerify are scammers and anyone paying them money should rapidly stop doing it and remove their malware from their devices. The real security risk is giving remote code execution on your devices to one of these sketchy EDR companies lying about their capabilities and discoveries."

Not much more to say about it.

 

[TLuc]

https://grapheneos.social/@GrapheneOS/112967309987371034

"Wired was manipulated into spreading misinformation to market Palantir and iVerify by misrepresenting a vulnerability in a disabled demo app as being a serious problem which could be exploited in the real world. They should retract the article but won't."

"iVerify are scammers and anyone paying them money should rapidly stop doing it and remove their malware from their devices. The real security risk is giving remote code execution on your devices to one of these sketchy EDR companies lying about their capabilities and discoveries."

Not much more to say about it.

Yeah also:

We omit their app from GrapheneOS and we could promote it based on that but we don't believe in doing that when this is not a real vulnerability. It's a disabled component that's not exposing any attack surface for the stock Pixel OS. You need to get ADB access or exploit the OS to enable it and at that point you already have far more access. There's no value to attackers from this app. It's ridiculous.

So in order to exploit it you need full access to the device at which point, why would somebody bother with this app? especially since its a Pixel thing mostly.

 

[organisum]

Sounds like a built-in backdoor for law enforcement.

 

[Octavius8]

Wait: in Own Google devices?, but not on Huawei phones?.

 

[onenorth]

Well only Pixels were confirmed to be affected anyway.

It is not confirmed to be limited to only Pixels. "It’s not clear if other Android devices also have “Showcase” installed, but Google is apparently “notifying other Android OEMs.” Also, this was a dormant app that no one was using, so it should have been removed a long time ago. Better late than never but it seems like Google was slow to deal with this.

 

[Marty80]

Another reason why I’am stuck in the Apple ecosystem.

 

[TLuc]

It is not confirmed to be limited to only Pixels. "It’s not clear if other Android devices also have “Showcase” installed, but Google is apparently “notifying other Android OEMs.” Also, this was a dormant app that no one was using, so it should have been removed a long time ago. Better late than never but it seems like Google was slow to deal with this.

Well actually only Pixels are confirmed to be affected, anything else is implied/assumed. The fact that Google notified others doesn't mean they are affected.

Anyway the app was always disabled and in order to activate it you need physical acces to the phone and it's password at which point why bother with this app at all? Also those at 9to5Google tried to activate the app themselves and couldn't, so its not walk in the park even if you want to do it to your own phone.

Google knew very well what this was and maybe set up a schedule for when they issue the app removal update. It's not a burning problem like it was initially implied.

 

[TLuc]

Another reason why I’am stuck in the Apple ecosystem.

Maybe read the last few posts then.

 

[Iconoclysm]

Perhaps not surprising on an Apple fan site, but this article doesn’t mention that you need physical access to the device and the passcode to unlock it in order to exploit.

I use both iPhone and Pixel, because each is stronger than the other in certain areas. I will happily continue using my Pixel because it’s always with me.

"The application, called Showcase.apk, is normally dormant. But iVerify was able to enable it on a device in its possession, and the company believes skilled hackers could also enable it from afar."

 

[Iconoclysm]

Exactly, but that would require people to do research.

I did the "research" and it turns out that he was wrong...and it only took one click to get to the WaPo article. So what "research" did you do?

 

[Iconoclysm]

There are several vulnerabilities in iOS and macOS waiting to be solved. Some are known for years. Wasn’t there a problem with the M-series of chips with security? Both platforms have vulnerabilities and in my experience Apple isn’t known to solve things quickly. Communication about these vulnerabilities Apple only does when there isn’t a way to keep it quiet. Also Apple doesn’t pay users who tell Apple there is a vulnerability or give any form of feedback to people who point those vulnerabilities out.

There will always be vulnerabilities on both platforms

It seems that "severity" isn't in your vocabulary.

 

[onenorth]

Well actually only Pixels are confirmed to be affected, anything else is implied/assumed. The fact that Google notified others doesn't mean they are affected.

Anyway the app was always disabled and in order to activate it you need physical acces to the phone and it's password at which point why bother with this app at all? Also those at 9to5Google tried to activate the app themselves and couldn't, so its not walk in the park even if you want to do it to your own phone.

Google knew very well what this was and maybe set up a schedule for when they issue the app removal update. It's not a burning problem like it was initially implied.

I'm just countering your spin.

 

[surfsofa]

what is Pixel strong points for you?

Your key words are ‘for me’…
* The camera image processing easily beats iPhone for me. Photos look truer to what my eye sees, vs the over saturated weird skin tones on the iPhone (iPhone still wins on video)
* Snappier UI. The iPhone feels more fluid, but also feels slow in comparison. Some may remember the speed of ios6. That’s what my Pixel feels like.
* Call screening is a killer feature. The voicemail thing on iOS doesn’t compare
* It’s 2024 and I STILL can’t set an independent or rising volume level on my iPhone alarm. I don’t want to use bedtime.
* No need to carry two phones thanks to work profile. My iOS work colleagues all have to carry two iPhones which is kind of ridiculous.
* Many small things. The phone simply feels more like a ‘smart’ phone, and makes my iPhone feel very dull and limited.

To finish on positives for the iPhone, the oled and True Tone easily outclass the pixel display. I don’t know why Google doesn’t address this. And of course the apps are more polished because developer seem to love iOS. The aesthetic experience remains a winner for the iPhone. The focus is different for these two ecosystems. Strengths in both, which is why I use both.

 

[svish]

Disappointed to hear this. Hope all devices get the update to fix the vulnerability in the near future.

 

[TLuc]

Disappointed to hear this. Hope all devices get the update to fix the vulnerability in the near future.

This is a quote from GrapheneOS admin, who studied this kind of apps(and knows what they do), it's not a real vulnerability. In order to exploit it you need full device access anyway at which point, why would somebody bother with this app? iVerify is being disingenuous about the gravity of this because they are trying to take advantage of this to promote themselves.

Google said the following: “Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update,”

We omit their app from GrapheneOS and we could promote it based on that but we don't believe in doing that when this is not a real vulnerability. It's a disabled component that's not exposing any attack surface for the stock Pixel OS. You need to get ADB access or exploit the OS to enable it and at that point you already have far more access. There's no value to attackers from this app. It's ridiculous.

 

[TLuc]

I'm just countering your spin.

There's nothing to counter, even Google said:
“Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update,”

If this would have been a general Android vulnerability they would have issued an Android update not just a Pixel update.
Also you can be certain iVerify would have mentioned all the other affected Android OEMs if they existed, just to increase the impact. This is what they are after, coverage.

 

[Nuno Lopes]

And yet Android users come into the iPhone forums to tell us how superior their platform is.

"Unpatchable" flaw in Apple M1/M2/M3 chips: GoFetch is the new Spectre - The Mac Security Blog

A serious flaw in Apple’s M1, M2, and M3 chips could enable attackers to break the security of Macs (and perhaps iPads and Apple Vision Pro). Here is everything you need to know about how GoFetch might affect you.

www.intego.com

Apple Chip Flaw Leaks Secret Encryption Keys

Plus: The Biden administration warns of nationwide attacks on US water systems, a new Russian wiper malware emerges, and China-linked hackers wage a global attack spree.

www.wired.com

What’s your point?

PS: I am no Android user.

 

[I7guy]

"Unpatchable" flaw in Apple M1/M2/M3 chips: GoFetch is the new Spectre - The Mac Security Blog

A serious flaw in Apple’s M1, M2, and M3 chips could enable attackers to break the security of Macs (and perhaps iPads and Apple Vision Pro). Here is everything you need to know about how GoFetch might affect you.

www.intego.com

Apple Chip Flaw Leaks Secret Encryption Keys

Plus: The Biden administration warns of nationwide attacks on US water systems, a new Russian wiper malware emerges, and China-linked hackers wage a global attack spree.

www.wired.com

What’s your point?

PS: I am no Android user.

Intel also had a flaw and yet it was mitigated, however the m1/2/3 requires physical access….correct? I think that’s his point.

 

[Nuno Lopes]

Intel also had a flaw and yet it was mitigated, however the m1/2/3 requires physical access….correct? I think that’s his point.

If we are getting technical go deeper. Pointless fanboys wing batting does not make things better for anyone.

His point was simply that iOS is superior when it comes to high risk vulnerabilities and he used this event to claim it.

Security flaws and patching is not only a thing of non Apple tech.

Keep whatever system you use updated to the latest.

Article

cyber.gov.rw

 

[I7guy]

If we are getting technical go deeper. Pointless fanboys wing batting does not make things better for anyone.

The point is there are vulnerabilities and then there are vulnerabilities. Saying there is a vulnerability in a vacuum without supporting information is pointless. Zero day zero clicks are obviously the worse.

His point was simply that iOS is superior when it comes to high risk vulnerabilities and he used this event to claim it.

iOS has had its share. But when I look at the CVE list imo android has more red flags, imo.

Security flaws and patching is not only a thing of non Apple tech.

Keep whatever system you use updated to the latest.

Article

cyber.gov.rw