Google to remove vulnerable app from Pixel phones

Google's Showcase app is disabled by default and requires physical access to enable
An undated image of Pixel phone features. — Google Keyword
An undated image of Pixel phone features. — Google Keyword

Google Pixel phones have a security flaw that can put users at risk. The problem lies in the "Showcase" app, which comes pre-installed on most Pixel devices. Google is taking action to fix the issue by removing the app soon.

What is 'Showcase' app?

The "Showcase" app was developed by Smith Micro for Verizon and was designed to launch a retail mode on devices. Its intended purpose was to launch a retail app the first time a device booted up.

However, it has been pre-loaded on Pixel phones for years, even long after its intended use case expired. Among other things, the app has advanced system privileges, including the power to remotely install software or execute code.

The application downloads a configuration file over an unencrypted HTTP connection, which allows the hijacking of a configuration used to control the attacked device in some way, perhaps as given in the app's permissions.

Read more: Pixel Weather finally coming to Pixel Tablet and more devices soon

Although the app is disabled by default and requires physical access to enable, the risk is still concerning. Google said it will take the "Showcase" application off Pixel devices in the coming weeks. 

There is no evidence that active exploitation has taken place. However, privacy-oriented data analytics company Palantir has expressed disappointment in Google's response, citing a lack of transparency and trust in the ecosystem.

What's next?

The Pixel 9 series already ships without "Showcase" installed. Google will likely remove the app from other supported Pixel devices through upcoming security patches. It's unclear if other Android devices are also affected, but Google is notifying other Android original equipment manufacturers (OEMs).