Hidden Backdoor Flaw Found in Android Phones Sold by Google

A little-known, insecure feature in Google’s master software for some Android phones was discovered embedded. The firm iVerify detected the feature in devices at a U.S. intelligence contractor and said the control allowed potential spying or remote control of users. According to researchers from that firm, the feature in question appears to give deep access for showing the devices to employees at stores selling Pixel and other Android models. This discovery has raised major concerns, especially in the intelligence contractor community, with companies such as Palantir Technologies discontinuing the issuing of Android phones to all their employees.

Perhaps the most apprehensive would be Palantir Technologies, a data analysis platform company, which discovered the problem first and that Google had not brought about any solution for mobile security. Dane Stuckey, the Chief Information Security Officer at Palantir Technologies, was visibly a very concerned man about mobile security. He clearly needed trust in devices used by his employees. In and of itself, the very fact that it contained third-party, unvetted software was an egregious breach of trust by Palantir—this case being on Google Android phones. In fact, the company more or less made its own organization abstain from using Android devices until these problems were sorted out. An application, a file in this case by the name of Showcase.apk, that is usually inactive but can be loaded when certain conditions are met represents a high security risk.

iVerify could install the application on a device, which signifies that any talented hacker could do so from afar. Worst of all, upon installing, the application would even attempt to download directions from an insecure website, making it susceptible to man-in-the-middle type attacks where hackers could capture and change instructions that the user is attempting to send to the device. Theoretically, this could be used by cyber criminals to inject malicious code or spyware into the system. In a reply to the discovery, Google stated that an update would be published to erase the application from all Pixel devices in support of it. The company’s representative, Ed Fernandez, stated that the company would also take additional steps to make the issue known to distributors of the other Android phones.

This response was also over 90 days later following the first contact made by iVerify to Google regarding the same which begs questions about what was being done, the implications thereof, and the possible harm in the meantime. Broad security issues in demonstrating an application such as Showcase.apk are the installed software for the devices, which means that at least some—such as Google’s Pixel phones—are designed to be secure. After all, this is an application found on devices designed and controlled directly by Google, which is responsible for issuing timely security updates. It was reportedly created by Smith Micro Software, the company specializing in remote access and parental control tools, though they did not respond to questions as to how such an app came to reside on Android devices.