Google Pixel Devices Shipped with Vulnerable App, Leaving Millions at Risk

A large percentage of Google’s own Pixel devices shipped globally since September 2017 included dormant software that could be used to stage nefarious attacks and deliver various kinds of malware.

The issue manifests in the form of a pre-installed Android app called “Showcase.apk” that comes with excessive system privileges, including the ability to remotely execute code and install arbitrary packages on the device, according to mobile security firm iVerify.

“The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level,” it said in an analysis published jointly with Palantir Technologies and Trail of Bits.

“The application retrieves the configuration file from a single U.S.-based, AWS-hosted domain over unsecured HTTP, which leaves the configuration vulnerable and can make the device vulnerable.”

Read the Full Story Here

Source: The Hacker News