• sunzu2@thebrainbin.org
    link
    fedilink
    arrow-up
    23
    arrow-down
    1
    ·
    3 months ago

    The issue relates to a software package called “Showcase.apk” that runs at the system level and lurks invisible to users. The application was developed by the enterprise software company Smith Micro for Verizon as a mechanism for putting phones into a retail store demo mode—it is not Google software. Yet for years, it has been in each Android release for Pixel and has deep system privileges, including remote code execution and remote software installation. Even riskier, the application is designed to download a configuration file over an unencrypted HTTP web connection that iVerify researchers say could be hijacked by an attacker to take control of the application and then the entire victim device.

    “flaw”

    any idea if de-google phones have this “feature”

    • evo@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      27
      ·
      3 months ago

      The app isn’t enabled by default so stock Pixels aren’t even vulnerable without physical access to an unlocked device.

    • BakedCatboy
      link
      fedilink
      English
      arrow-up
      8
      ·
      3 months ago

      I couldn’t find the APK on my pixel 5 running lineage so I think only stock-based roms should be affected. I checked using an APK extractor app that lists all system apps including things like 3 button navigation bar.