Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
The demo app puts millions of smartphones and the security of US intelligence at risk.
iVerify has discovered a vulnerability in the Showcase. apk app that has been pre-installed on millions of Pixel devices worldwide since September 2017. Excessive system privileges of the application open up the possibility of remote code execution and installation of malicious packages on the device.
Specialists from iVerify and partner companies Palantir Technologies and Trail of Bits conducted a thorough investigation, which revealed that Showcase. apk is part of the Pixel device firmware and is included in OTA (over-the-air) images. Google has not yet offered a fix for the problem, and the app itself cannot be removed in the standard way.
According to iVerify, the app was developed by Smith Micro Software, a Pennsylvania-based company that builds remote access software and parental control tools. Showcase. apk was originally intended for store employees to demonstrate how devices work. Representatives of Smith Micro did not comment on the discovery of specialists.
The application loads configuration files from a single domain via an unprotected HTTP protocol, which allows you to substitute files during data transfer. An attacker can interfere with the transfer process and inject malicious code that will execute commands with system privileges, which will give the hacker full control over the device. In addition, the application does not authenticate the domain from which configuration files are downloaded, which further exacerbates the problem.
During the technical analysis, experts found flaws in the Showcase.apk code. For example, the application does not perform correct verification of certificates and signatures, which allows a cybercriminal to bypass verification processes when uploading files. The app also uses predictable URLs to communicate with a remote server, which makes it easier for hackers.
In light of the events, Palantir Technologies, one of the largest data analysis companies serving the US intelligence services, abandoned the use of Android devices in favor of the iPhone inside the company for several years. While the app is inactive by default on most devices and you need to manually enable it, there is still the possibility that Showcase.apk may be activated in other ways.
iVerify compares the vulnerability found with the recent global Windows crash caused by problems in the CrowdStrike software. The Showcase.apk vulnerability can also lead to large-scale consequences, since the error is embedded deep in the system.
iVerify reported the problem to Google more than 3 months ago, but until recently, the corporation did not take any action to fix the error. Only after the report was published, Google promised to release an update that will remove the dangerous app from supported Pixel devices. A Google representative said that notifications about the problem will also be sent to other manufacturers of Android devices.
Google has not yet recorded any cases of exploiting the vulnerability through Showcase and assures that its activation requires physical access to the device and the user's password. However, representatives of Palantir believe that the very presence of such an application on Google Pixel devices is a concern, since these phone models are considered the most secure among Android devices. It's also unclear why Google pre-installs the app on all Pixel devices, when in reality it's only used in a limited number of cases.
Against the background of an increasing number of such incidents, experts call for strengthening measures to ensure the security of embedded software, as well as for a more transparent development and testing process.
Source
iVerify has discovered a vulnerability in the Showcase. apk app that has been pre-installed on millions of Pixel devices worldwide since September 2017. Excessive system privileges of the application open up the possibility of remote code execution and installation of malicious packages on the device.
Specialists from iVerify and partner companies Palantir Technologies and Trail of Bits conducted a thorough investigation, which revealed that Showcase. apk is part of the Pixel device firmware and is included in OTA (over-the-air) images. Google has not yet offered a fix for the problem, and the app itself cannot be removed in the standard way.
According to iVerify, the app was developed by Smith Micro Software, a Pennsylvania-based company that builds remote access software and parental control tools. Showcase. apk was originally intended for store employees to demonstrate how devices work. Representatives of Smith Micro did not comment on the discovery of specialists.
The application loads configuration files from a single domain via an unprotected HTTP protocol, which allows you to substitute files during data transfer. An attacker can interfere with the transfer process and inject malicious code that will execute commands with system privileges, which will give the hacker full control over the device. In addition, the application does not authenticate the domain from which configuration files are downloaded, which further exacerbates the problem.
During the technical analysis, experts found flaws in the Showcase.apk code. For example, the application does not perform correct verification of certificates and signatures, which allows a cybercriminal to bypass verification processes when uploading files. The app also uses predictable URLs to communicate with a remote server, which makes it easier for hackers.
In light of the events, Palantir Technologies, one of the largest data analysis companies serving the US intelligence services, abandoned the use of Android devices in favor of the iPhone inside the company for several years. While the app is inactive by default on most devices and you need to manually enable it, there is still the possibility that Showcase.apk may be activated in other ways.
iVerify compares the vulnerability found with the recent global Windows crash caused by problems in the CrowdStrike software. The Showcase.apk vulnerability can also lead to large-scale consequences, since the error is embedded deep in the system.
iVerify reported the problem to Google more than 3 months ago, but until recently, the corporation did not take any action to fix the error. Only after the report was published, Google promised to release an update that will remove the dangerous app from supported Pixel devices. A Google representative said that notifications about the problem will also be sent to other manufacturers of Android devices.
Google has not yet recorded any cases of exploiting the vulnerability through Showcase and assures that its activation requires physical access to the device and the user's password. However, representatives of Palantir believe that the very presence of such an application on Google Pixel devices is a concern, since these phone models are considered the most secure among Android devices. It's also unclear why Google pre-installs the app on all Pixel devices, when in reality it's only used in a limited number of cases.
Against the background of an increasing number of such incidents, experts call for strengthening measures to ensure the security of embedded software, as well as for a more transparent development and testing process.
Source
