Robert Triggs / Android Authority
TL;DR
- Showcase is a potentially vulnerable app present in Pixel firmware, designed for Verizon in-store demos.
- The app is not enabled by default, severely limiting the potential for it to be exploited.
- Out of an abundance of caution, Google will still update Pixel phones to remove the software.
Earlier today, security researchers shared a concerning discovery made in the firmware of multiple Pixel smartphones. A software package identified as Showcase.apk appeared to leave handsets vulnerable to a number of different attack vectors, with no obvious way to remove it. Since news of this issue first surfaced, Google has been speaking out to clarify the serious limitations that help mitigate the potential impact of a Showcase exploit, while also committing to remove the software from affected Pixel phones.
Showcase, a Google spokesperson explained to Android Authority, is an app developed by Smith Micro for use as an internal Verizon demo, letting the carrier easily highlight phone features to shoppers in its stores. But while it’s not actively enabled on the Pixel phone you buy and take home, the software is still there — and this is what the researchers at iVerify discovered in their analysis. If it were to get switched on, there’s the possibility that an attacker could take advantage of insecurities in the app to gain control of your device — and because Showcase is granted a lot of permissions, there’s the potential for it to do real damage.
Have you ever experienced malware on your Android phone?
3069 votes
Because the app isn’t enabled, an attacker would first need physical access to your phone and to know your password in order to get Showcase running — and if they have that much already, the game’s pretty much over. Sure enough, Google hasn’t uncovered any evidence that anyone’s actually pulled off an attack this way.
Still, the company clearly understands how distressing this must feel for security-conscious Pixel users, and out of what it characterizes as “an abundance of precaution,” Google tells us that it “will be removing [Showcase] from all supported in-market Pixel devices with an upcoming Pixel software update.”
You can also rest easy knowing that the shiny new Pixel 9 you just pre-ordered is going to arrive without a touch of Showcase on it. Google plans to reach out to its Android OEM partners to ensure that risky software like this hasn’t gone unnoticed on any of their phones, either.