Google sold Android phones with hidden insecure feature
https://www.washingtonpost.com/technology/2024/08/15/google-sold-android-phones-with-hidden-insecure-feature-companies-find/

We'll need to know more but this is what the Washington Post reported:

"Google's master software for some Android phones includes a
hidden feature that is insecure and could be activated to allow
remote control or spying on users, according to a security company
that found it inside phones at a U.S. intelligence contractor.

The feature appears intended to give employees at stores selling
Pixel phones and other models deep access to the devices so they
can demonstrate how they work, according to researchers at iVerify'
who shared their findings with The Washington Post.

On 15/08/2024 20:07, Andrew wrote:
> Google sold Android phones with hidden insecure feature
> https://www.washingtonpost.com/technology/2024/08/15/google-sold-android-phones-with-hidden-insecure-feature-companies-find/
>
> We'll need to know more but this is what the Washington Post reported:
>
> "Google's master software for some Android phones includes a
> hidden feature that is insecure and could be activated to allow
> remote control or spying on users, according to a security company
> that found it inside phones at a U.S. intelligence contractor.
>
> The feature appears intended to give employees at stores selling
> Pixel phones and other models deep access to the devices so they
> can demonstrate how they work, according to researchers at iVerify'
> who shared their findings with The Washington Post.

I assume that showcase.apk was removed when grapheneOS was installed as
that is intended for use in Pixel phones.

--
Jeff

Jeff Layman wrote on Thu, 15 Aug 2024 22:31:17 +0100 :

> I assume that showcase.apk was removed when grapheneOS was installed as
> that is intended for use in Pixel phones.

You're correct that "showcase.apk" seems to be the culprit, according to
this news article about the Pixel flaw which shipped since 2017 apparently.
*Researchers claim most Google Pixel phones shipped with exploitable bloatware since 2017*
<https://www.engadget.com/mobile/smartphones/researchers-claim-most-google-pixel-phones-shipped-with-exploitable-bloatware-since-2017-185926564.html>

"The issue relates to "Showcase.apk," a bit of software made for
Verizon and used to put Pixel devices in demo mode while displayed
in retail stores.

The software downloads a configuration file over an unencrypted
web connection, which - because of Showcase's deep access - might
allow bad actors to perform remote code execution or remote
package installation on the device.

The especially troubling part of this discovery is that Showcase
can't be uninstalled at the user level. And while it is not
enabled by default, iVerify said there could be multiple ways
to activate the software. iVerify alerted Google to the
vulnerability in May; thus far there's no confirmed evidence
it's been exploited in the wild.

A Google spokesperson told Wired that Showcase is no longer being
used by Verizon and that Google would have a software update to
remove the software from all Pixel devices in the coming weeks.

Additionally, the rep said Showcase is not present in the line
of Google Pixel 9 devices announced during the Made by Google
event this week."

On Fri, 16 Aug 2024 02:27:32 -0000 (UTC), Andrew wrote:
https://iverify.io/blog/iverify-discovers-android-vulnerability-impacting-millions-of-pixel-devices-around-the-world
iVerify Discovers Android Vulnerability Impacting Millions of Pixel Devices Around the World
Published Aug 14, 2024

Earlier this year, iVerify's EDR capability flagged an Android device at
Palantir Technologies as unsecure, which launched an investigation in
partnership with Palantir and Trail of Bits. The investigation revealed an
Android application package, Showcase.apk, that is part of the firmware.
When enabled, Showcase.apk makes the operating system accessible to hackers
and ripe for man-in-the-middle attacks, code injection, and spyware. The
impact of this vulnerability is significant and could result in data loss
breaches totaling billions of dollars. iVerify notified Google with a
detailed vulnerability report following their 90-day disclosure process.
It's unclear when Google will issue a patch or remove the software from the
phones to mitigate the potential risks.

The Showcase.apk package was developed by Smith Micro, a software company
operating in the Americas and EMEA that provides software packages for
remote access, parental control, and data-clearing tools. Smith Micro
likely designed the package to enhance sales of Pixel and Android phones in
Verizon stores. The app is part of the firmware image, so millions of
Android Pixel phones worldwide could have this application running at the
system level.

The application package is designed to retrieve a configuration file over
unsecured HTTP. It allows the app to execute system commands or modules
that could open a backdoor, making it easy for cybercriminals to compromise
the device. Since this app is not inherently malicious, most security
technology may overlook it and not flag it as malicious, and since the app
is installed at the system level and part of the firmware image, it can not
be uninstalled at the user level.

On 16/08/2024 03:27, Andrew wrote:
> Jeff Layman wrote on Thu, 15 Aug 2024 22:31:17 +0100 :
>
>> I assume that showcase.apk was removed when grapheneOS was installed as
>> that is intended for use in Pixel phones.
>
> You're correct that "showcase.apk" seems to be the culprit, according to
> this news article about the Pixel flaw which shipped since 2017 apparently.
> *Researchers claim most Google Pixel phones shipped with exploitable bloatware since 2017*
> <https://www.engadget.com/mobile/smartphones/researchers-claim-most-google-pixel-phones-shipped-with-exploitable-bloatware-since-2017-185926564.html>
>
> "The issue relates to "Showcase.apk," a bit of software made for
> Verizon and used to put Pixel devices in demo mode while displayed
> in retail stores.
>
> The software downloads a configuration file over an unencrypted
> web connection, which - because of Showcase's deep access - might
> allow bad actors to perform remote code execution or remote
> package installation on the device.
>
> The especially troubling part of this discovery is that Showcase
> can't be uninstalled at the user level. And while it is not
> enabled by default, iVerify said there could be multiple ways
> to activate the software. iVerify alerted Google to the
> vulnerability in May; thus far there's no confirmed evidence
> it's been exploited in the wild.
>
> A Google spokesperson told Wired that Showcase is no longer being
> used by Verizon and that Google would have a software update to
> remove the software from all Pixel devices in the coming weeks.
>
> Additionally, the rep said Showcase is not present in the line
> of Google Pixel 9 devices announced during the Made by Google
> event this week."

Firstly, I tried finding out the answer to my question about
Showcase.apk and grapheneOS but I couldn't tie the search down enough,
as "showcase" is a word often used!

Does/did it affect only Pixel phones? The Washington Post article states
"The feature appears intended to give employees at stores selling Pixel
phones *and other models*..." (my emphasis).

There's a lot more info at
<https://iverify.io/blog/iverify-discovers-android-vulnerability-impacting-millions-of-pixel-devices-around-the-world>.
In particular, the "Conclusion" has some real food for thought. I'll
repeat it here:

"The Showcase.apk discovery and other high-profile incidents, like
running third-party kernel extensions in Microsoft Windows, highlight
the need for more transparency and discussion around having third-party
apps running as part of the operating system. It also demonstrates the
need for quality assurance and penetration testing to ensure the safety
of third-party apps installed on millions of devices.

Further, why Google installs a third-party application on every Pixel
device when only a very small number of devices would need the
Showcase.apk is unknown. The concern is serious enough that Palantir
Technologies, who helped identify the security issue, is opting to
remove Android devices from its mobile fleet and transition entirely to
Apple devices over the next few years. On most devices iVerify
researchers analyzed, the app was inactive by default and had to be
manually enabled. To avoid endangering users, we are redacting our way
of enabling the app in the full report. There might be other ways to
enable the app or situations where the app is enabled by default."

Anyway, I'm not at all surprised by this little episode. I've said many
times before that I don't trust Google or any of the phone manufacturers
(and it will no doubt get worse with the independent Chinese
manufacturers putting their heavily adapted versions of android on their
phones) to not spy on their customers. Or, as in the case of showcase,
to mess up enough so that others can!

So good luck with the iverify.io comment "... highlight the need for
more transparency and discussion around having third-party apps running
as part of the operating system". And what about first-party apps
running that we don't know about, and probably never will?

--
Jeff

On Fri, 16 Aug 2024 08:17:28 +0100, Jeff Layman wrote:
> Firstly, I tried finding out the answer to my question about
> Showcase.apk and grapheneOS but I couldn't tie the search down enough,
> as "showcase" is a word often used!
>

Sometimes quotes still work. Try "showcase.apk" with the quotes.

When I did, every single result on the first two pages was for
showcase.apk. (I didn't look further.)

--
Stan Brown, Tehachapi, California, USA https://BrownMath.com/
Shikata ga nai...

Jeff Layman <Jeff@invalid.invalid> wrote:
> Firstly, I tried finding out the answer to my question about
> Showcase.apk and grapheneOS but I couldn't tie the search down enough,
> as "showcase" is a word often used!

I went on the GrapheneOS forum and searched 'showcase':
https://discuss.grapheneos.org/d/14984-is-grapheneos-an-answer-to-recent-wired-headline-about-showcaseapk

But I could have told you the answer anyway - GOS builds from Google's
sources, so they don't include closed source apps like this. If you choose
to install Google Play then that's closed source, but they carefully vet what
gets installed.

GrapheneOS also have an official statement which debunks the whole story:
https://discuss.grapheneos.org/d/14993-debunking-fake-stock-pixel-os-vulnerability-from-an-edr-company

Theo

On 16/08/2024 20:09, Stan Brown wrote:
> On Fri, 16 Aug 2024 08:17:28 +0100, Jeff Layman wrote:
>> Firstly, I tried finding out the answer to my question about
>> Showcase.apk and grapheneOS but I couldn't tie the search down enough,
>> as "showcase" is a word often used!
>>
>
> Sometimes quotes still work. Try "showcase.apk" with the quotes.
>
> When I did, every single result on the first two pages was for
> showcase.apk. (I didn't look further.)

I think I searched too early this morning! I was using Startpage anyway,
not Google directly. There seems to be a slight difference in the
results using showcase.apk or "showcase.apk".

Anyway, as you note, there are quite a few hits now.

--
Jeff

On 16/08/2024 20:47, Theo wrote:
> Jeff Layman <Jeff@invalid.invalid> wrote:
>> Firstly, I tried finding out the answer to my question about
>> Showcase.apk and grapheneOS but I couldn't tie the search down enough,
>> as "showcase" is a word often used!
>
> I went on the GrapheneOS forum and searched 'showcase':
> https://discuss.grapheneos.org/d/14984-is-grapheneos-an-answer-to-recent-wired-headline-about-showcaseapk
>
> But I could have told you the answer anyway - GOS builds from Google's
> sources, so they don't include closed source apps like this. If you choose
> to install Google Play then that's closed source, but they carefully vet what
> gets installed.
>
> GrapheneOS also have an official statement which debunks the whole story:
> https://discuss.grapheneos.org/d/14993-debunking-fake-stock-pixel-os-vulnerability-from-an-edr-company

It's hard to know who to believe these days... :-(

--
Jeff

Jeff Layman wrote on Fri, 16 Aug 2024 21:56:30 +0100 :

>> But I could have told you the answer anyway - GOS builds from Google's
>> sources, so they don't include closed source apps like this. If you choose
>> to install Google Play then that's closed source, but they carefully vet what
>> gets installed.

Since Aurora is the same thing as the Google Play Store is, I can't imagine
that anyone who installs GrapheneOS would ever put the Google Play Store on
it.

What on earth would be the reason to put the Google Play Store on a
non-Googled device when Aurora is a thousand times better anyway?

Makes no sense.

>> GrapheneOS also have an official statement which debunks the whole story:
>> https://discuss.grapheneos.org/d/14993-debunking-fake-stock-pixel-os-vulnerability-from-an-edr-company
>
> It's hard to know who to believe these days... :-(

I have one Occam's Razor rule that a web site that explains BOTH SIDES of
the story is almost always more knowledgeable & more reputable than a web
site (or article) that only explains ONE SIDE of the story.

I read the link that Theo kindly supplied, which changes the picture a lot.
<https://discuss.grapheneos.org/d/14993-debunking-fake-stock-pixel-os-vulnerability-from-an-edr-company>

Anyway, I looked in Muntashirakon App Manager for "showcase.apk" and it's
not on my T-Mobile Samsung Galaxy A32-5G so I'm not going to worry much.

Andrew wrote:

> I looked in Muntashirakon App Manager

Finally v3.1.7 of that app is capable of getting past the opening T&C
screen without hanging ...

Andy Burns wrote on Sat, 17 Aug 2024 11:13:22 +0100 :

>> I looked in Muntashirakon App Manager
>
> Finally v3.1.7 of that app is capable of getting past the opening T&C
> screen without hanging ...

Finally it's working for you! :)

I feel bad about that happening to you, of all people, especially as I've
extolled the virtues of the Muntashirakon App Manager as the finest.

Glad that it's finally working for you.

What I like best about Muntashirakon App Manager is that it never misses a
package (unlike other app managers) and it always shows the full package
name (again, unlike others) and more importantly, it has all the public and
private shortcuts you can make plus it gives an assessment of each app in
terms of trackers and bloatware and it easily allows you to remove them.

On 17/08/2024 00:39, Andrew wrote:

> Anyway, I looked in Muntashirakon App Manager for "showcase.apk" and it's
> not on my T-Mobile Samsung Galaxy A32-5G so I'm not going to worry much.

Perhaps Samsung have their own version and call it something else... ;-)

FWIW MAM hasn't found it on my Xiaomi either.

--
Jeff