From bgr.com
This week should be one of celebration for Google after debuting the Pixel 9 and Pixel Watch 3 at the Made by Google event, but now, a troubling report threatens to spoil the fun. According to the cybersecurity company iVerify, “a very large percentage” of Pixel devices that have shipped since 2017 have included software that could be manipulated to hack into the phones.
As iVerify notes, its endpoint detection and response (EDR) technology uncovered an insecure Android device at Palantir Technologies earlier this year. iVerify opened a joint investigation with Palantir and Trail of Bits, and they soon discovered an Android package dubbed Showcase.apk developed by Smith Micro in the firmware.
The code of the package is intended to turn the phones into demo devices, so a store like Best Buy or Verizon can set the phone up in a display. The problem is that the package also contains high-level, entirely unnecessary system privileges, such as remote code execution and remote package installation capabilities.
“The app vulnerability leaves millions of Android Pixel devices susceptible to man-in-the-middle attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware,” said iVerify’s researchers in a report on the blog. “Cybercriminals can use vulnerabilities in the app’s infrastructure to execute code or shell commands with system privileges on Android devices to take over devices to perpetrate cybercrime and breaches.”
This is obviously an incredibly worrisome discovery, but the good news is that Google is already working on a fix for its Pixel phones.
[ For more curated tech news, check out the main news page here]
The post Millions of Google Pixels have shipped with a major security flaw first appeared on bgr.com