Skip to main content

Digital Trends may earn a commission when you buy through links on our site. Why trust us?

Security experts just found a massive flaw with Google Pixel phones

A person holding the Google Pixel 8 Pro.
Google Pixel 8 Pro Andy Boxall / Digital Trends

Google is patching a serious firmware-level vulnerability that has been present on millions of Pixel smartphones sold worldwide since 2017. “Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update,” the company told The Washington Post.

The issue at heart is an application package called Showcase.apk, which is an element of Android firmware that has access to multiple system privileges. Ordinarily, an average smartphone user can’t enable or directly interact with it, but iVerify’s research proved that a bad actor can exploit it to inflict some serious damage.

Recommended Videos

“The vulnerability makes the operating system accessible to cybercriminals to perpetrate man-in-the-middle attacks, malware injections, and spyware installations,” according to the company. The security firm revealed that the flaw opens the doors for remote code execution and remote package installation.

Please enable Javascript to view this content

That means a bad actor can install malware on a target device without having physical access to it. Cybercriminals can subsequently launch various forms of attack depending on the malware injected, which includes, but is not limited to, stealing sensitive data or system takeover.

The core issue is that Showcase.apk downloads configuration assets over an unsecured HTTP connection, leaving it vulnerable to malicious actors. What makes it scarier is that users can’t directly uninstall it like they can remove other apps stored on their phones.

A very Pixel problem

The Google Pixel 8a's screen.
Andy Boxall / Digital Trends

So, how does the Google Pixel factor in the whole sequence, and not every Android phone on the planet? Well, the Showcase.apk package comes preinstalled in the Pixel firmware and is also a core component of the OTA images that Google publicly releases for installing software updates — especially during the early development process.

iVerify notes that there are multiple ways a hacker can enable the package, even though it is not active by default. Google could face some serious heat following the disclosures for multiple reasons.

First, iVerify says it notified Google about its alarming discovery 90 days before going public, but Google didn’t provide an update on when it would fix the flaw — leaving millions of Pixel devices sold worldwide at risk. Second, one of the devices flagged as unsecured was in active use at Palantir Technologies, an analytics company recently awarded a contract worth about half a billion dollars by the U.S. Department of Defense to make computer vision systems for the U.S. Army.

The Google Pink 9 in its pink color.
Joe Maring / Digital Trends

Now, just for the sake of clarity, it’s not Showcase.apk itself that is problematic. It’s the way that it downloads configuration files over an unsecured HTTP connection that was deemed an open invitation for hackers to snoop in. To give you an idea of the threat, Google’s Chrome browser warns users every time they visit a website using the old HTTP protocol instead of the safer HTTPS architecture.

After publishing this story, a Google spokesperson sent the following statement to Digital Trends for further clarification about the whole situation:

“This is not an Android platform, nor Pixel vulnerability, this is an APK developed by Smith Micro for Verizon in-store demo devices and is no longer being used. Exploitation of this app on a user phone requires both physical access to the device and the user’s password. We have seen no evidence of any active exploitation. Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android [manufacturers].”

This is serious

The Google Pixel 9 Pro XL next to the Google Pixel 8 Pro.
Ajay Kumar / Digital Trends

Irrespective of the threat vehicle, what could land Google in trouble is that at-risk Pixel smartphones were in active usage by a defense contractor, which could theoretically put national security at risk. It’s not hard to imagine why.

Just look at how TikTok has been banned for federal employees in multiple states, citing similar national security concerns. “It’s really quite troubling. Pixels are meant to be clean. There is a bunch of defense stuff built on Pixel phones,” Dane Stuckey, chief information security officer at Palantir, told The Post.

The app was made by Smith Micro for telecom giant Verizon to set phones into demo mode for retail stores. Moreover, since the app itself doesn’t contain any malicious code, it’s nigh impossible for antivirus apps or software to flag it as such. Google, on the other hand, says exploiting the flaw would require physical access and knowledge of the phone’s passcode.

iVerify, however, has also raised questions about the app’s widespread presence. When it was developed for demo units at Verizon’s request, why was the package part of Pixel firmware on devices, not just those destined for the carrier’s inventory?

Following the security audit, Palantir effectively removed all Android devices from its fleet and has shifted exclusively to iPhones, a transition that will reach completion over the next few years. Thankfully, there has been no evidence of the Showcase.apk vulnerability being exploited by bad actors.

Nadeem Sarwar
Nadeem is a tech journalist who started reading about cool smartphone tech out of curiosity and soon started writing…
Google boosts Android security against unknown tracking devices
Unknown tracker alert for Android.

Google is adding a couple of new features to Android’s safety alert system that will help users find unknown trackers moving with them. The new features cover all tags and tracking devices that support Google’s Find My Device service for locating lost hardware.

The first one is Find Nearby. This one will help users locate any hidden tracker. For example, if your Android phone flashes an unknown tracker alert, you can check for its presence using the Play Sound feature.

Read more
Here’s how your Android phone could help stop your motion sickness
Someone holding the Google Pixel 9 with the screen on.

Motion sickness — also called kinetosis — is a common problem. In fact, as many as one in three people have felt sick while in a vehicle. For those who suffer from it, reading in the car is practically impossible.

Apple introduced a feature that helps those prone to motion sickness use their phones without the accompanying nausea. Now, Google is working on a similar feature for Android phones.

Read more
This phone highlights what Google and Samsung need to fix with their cameras in 2025
Oppo Find X8 Pro laying flat on a table.

When companies release new smartphones, they usually call out a specific camera specification or two. For the Galaxy S24 Ultra, Samsung calls out the 200-megapixel main camera as well as the 5x telephoto, while Apple focused on its 48MP Fusion camera, and Google made bold claims about the power of its 5x telephoto zoom.

However, dive deeper, and you’ll often find that these flashy cameras are paired with other lower-resolution sensors. For some companies, this isn’t a significant problem, and Google has proven that you can work wonders using AI and algorithms, even when the hardware doesn’t match up.

Read more