https://www.theverge.com/2024/8/15/24221151/google-pixel-showcase-software-spyware-palantir-iverify

Skip to main content
 The Verge logo.The Verge homepage

  * The Verge homepageThe Verge logo./
  * Tech/
  * Reviews/
  * Science/
  * Entertainment/
  * AI/
  * MoreMenu

 The Verge logo.
Menu

  * Tech/
  * Google/
  * Security

Google Pixel phones sold with security vulnerability, report finds

Google Pixel phones sold with security vulnerability, report finds

/

The software could be used to surveil or remotely control users'
phones, according to iVerify.

By Gaby Del Valle, a policy reporter. Her past work has focused on
immigration politics, border surveillance technologies, and the rise
of the New Right.

Aug 15, 2024, 5:12 PM UTC

Share this story

  * 
  * 
  * 

Photo collage of a phone with a combination lock and keyhole over the
screen.
Image: Cath Virginia / The Verge; Getty Images

Most Google Pixel phones sold since September 2017 included software
that could be used to surveil or remotely control users' phones,
according to a new report from the cybersecurity company iVerify.

The vulnerability was discovered after iVerify's endpoint detection
and response (EDR) scanner flagged an insecure Android device at
Palantir Technologies, an iVerify client. After launching a joint
investigation, iVerify, Palantir, and Trail of Bits discovered a
hidden Android software package -- Showcase.apk -- across Google Pixel
devices. The data-mining firm Palantir, which sells its surveillance
products to governments and private companies, banned Android devices
across the company in response.

"This was very deleterious of trust, to have third-party, unvetted
insecure software on it," Dane Stuckey, Palantir's chief information
security officer, told The Washington Post. "We have no idea how it
got there, so we made the decision to effectively ban Androids
internally."

According to iVerify's report, the software was developed by a
company called Smith Micro Software and appears to have been created
for Verizon for in-store demos. The app was inactive by default and
had to be manually enabled, the iVerify report found. "When enabled,
Showcase.apk makes the operating system accessible to hackers and
ripe for man-in-the-middle attacks, code injection, and spyware," the
report reads. "The impact of this vulnerability is significant and
could result in data loss breaches totaling billions of dollars."

In a statement to The Verge, Google spokesperson Ed Fernandez said
the software was made "for Verizon in-store demo devices and is no
longer being used," adding that Google has "seen no evidence of any
active exploitation."

iVerify told Google about its report in early May, according to Wired
. The company had not publicly disclosed the vulnerability, nor has
it released a software update to remove the problem. Wired reported
that Android would remove the app from all Pixel devices "in the
coming weeks," which Fernandez confirmed to The Verge.

"It's really quite troubling. Pixels are meant to be clean," Stuckey,
of Palantir, told the Post. "There is a bunch of defense stuff built
on Pixel phones."

Most Popular
Most Popular

 1. X's new AI image generator will make anything from Taylor Swift
    in lingerie to Kamala Harris with a gun

    -----------------------------------------------------------------
 2. Apple is finally going to open up iPhone tap-to-pay

    -----------------------------------------------------------------
 3. Sonos considers relaunching its old app

    -----------------------------------------------------------------
 4. Kim Dotcom is being Megauploaded to the US for trial

    -----------------------------------------------------------------
 5. Harris campaign deceptively trims Trump post about Elon Musk
    interview

    -----------------------------------------------------------------

Verge Deals

/ Sign up for Verge Deals to get deals on products we've tested sent
to your inbox weekly.

Email (required)[                    ]Sign up
By submitting your email, you agree to our Terms and Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and
Terms of Service apply.
From our sponsor

 

 
Advertiser Content FromSponsor logo
Sponsor thumbnail

More from Tech

  * A screenshot from Call of Duty: Black Ops 6.A screenshot from
    Call of Duty: Black Ops 6.

    Activision is finally doing something about Call of Duty's giant
    downloads

  * Threads' draft feature showing multiple posts saved.Threads'
    draft feature showing multiple posts saved.

    Threads is testing several new features like scheduling and
    analytics

  * Close up of Sennheiser Momentum Sport budsClose up of Sennheiser
    Momentum Sport buds

    Sennheiser's heart-tracking ANC earbuds are on sale for almost
    $80 off

  * An Asus ROG Ally handheld running the Xbox appAn Asus ROG Ally
    handheld running the Xbox app

    Microsoft is now in a handheld gaming PC race

  * 
     
    Advertiser Content FromSponsor logo

     

 The Verge logo.

  * Cookie Settings
  * Terms of Use
  * Privacy Notice
  * Cookie Policy
  * Licensing FAQ
  * Accessibility
  * Platform Status
  * How We Rate and Review Products

  * Contact
  * Tip Us
  * Community Guidelines
  * About
  * Ethics Statement

The Verge is a vox media network

  * Advertise with us
  * Jobs @ Vox Media

(c) 2024 Vox Media, LLC. All Rights Reserved