- cross-posted to:
- security
- technology@lemmygrad.ml
- cross-posted to:
- security
- technology@lemmygrad.ml
Verify discovered an Android package, “Showcase.apk,” with excessive system privileges, including remote code execution and remote package installation capabilities, on a very large percentage of Pixel devices shipped worldwide since September 2017
The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level
The application retrieves the configuration file from a single US-based, AWS-hosted domain over unsecured HTTP, which leaves the configuration vulnerable and can makes the device vulnerable
Cybercriminals can use vulnerabilities in the app’s infrastructure to execute code or shell commands with system privileges on Android devices to take over devices to perpetrate cybercrime and breaches
Removal of the app is not possible through a user’s standard uninstallation process, and at this time, Google has not offered a patch for the vulnerability
It appears that Showcase.apk is preinstalled in Pixel firmware and included in Google’s OTA image for Pixel devices
Now imagine this happend to a Chinese phone from any manufacturer, may it be Xiaomi, Oneplus or whatever - could you imagine the outcry?
update from GrapheneOS devs explaining that the exploit isn’t as bad as it initially looks https://grapheneos.social/@GrapheneOS/112967309987371034
although it looks like it’s not as bad as originally seems https://grapheneos.social/@GrapheneOS/112967309987371034
You should edit this into the op, or probably the title too since a lot of people only read the title and nothing else
sure
I mean isn’t the pixel the easiest to swap OS on though. You really should be installing graphene or divestos instantly
Outcry over what? This isn’t really easily exploitable without full access to the device already and google said theyre removing it from their images.
iVerify vice president of research Matthias Frielingsdorf points out that while Showcase represents a concerning exposure for Pixel devices, it is turned off by default. This means that an attacker would first need to turn the application on in a target’s device before being able to exploit it. The most straightforward way to do this would involve having physical access to a victim’s phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings. Google’s Fernandez emphasized this limiting factor as well.
https://www.wired.com/story/google-android-pixel-showcase-vulnerability/
You genuinely telling me western media wouldn’t have field day with this if the same thing was found on a phone from a Chinese company?
No I’m telling you this is not that big of a deal and any device like this (especially with the stock firmware) you use probably has even more unpatched vulnerabilities.
Also I didn’t say anything about what the media response would be like, I’m only speaking about the vulnerability itself. Your jump to make this political is just reactionary. Yes theres more attention on vulnerabilities from Chinese company built devices but thats nothing new.
My whole point was about the double standard applied to US and Chinese tech. You were specifically asking what the outcry would be over, and you yourself admit that there would indeed be outcry in the west if it was a Chinese company. The fact that you don’t get the political angle here is entirely a you problem.