Google has worked hard to make Android as secure as possible, but as with any operating system, security issues occasionally pop up. One flaw allowed malicious apps to be downloaded on Google Pixel phones, and has now been patched.
A hidden and insecure feature within Google’s software for some Android phones has been discovered. Security firm iVerify found the feature, called Showcase.apk, on phones at a U.S. intelligence contractor. The app, normally dormant, appears designed to give deep access to devices for demonstration purposes, but researchers were able to turn it on. The discover prompted data analytics company Palantir Technologies (best known for helping the Trump administration deport immigrants from the United States) to ban the use of Android phones internally, with an executive saying, “This was very deleterious of trust… We have no idea how it got there.”
The app’s insecurity lies in its ability to download instructions from an insecure web address, leaving it open to interception and manipulation. iVerify warned, “The app vulnerability leaves millions of Android Pixel devices susceptible to man-in-the-middle attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware.”
iVerify contacted Google over 90 days ago but received no indication of a fix until Wednesday night, when Google told The Washington Post it would issue an update to remove the application. Google maintains it has not seen any hacking through Showcase and that exploitation would require both physical access and the user’s password. However, the fact that this oversight is present as the app is included in Google-made Pixel phones, known for their prompt security updates, is concerning at least.
This is another great reminder to keep your Android phone up to date, and install security patches as soon as they are available. Once a fix for security issues like this one is available, you can keep yourself protected.
Source: The Washington Post