Google Sold Android Phones With Hidden Insecure Feature, Companies Find (washingtonpost.com) 30
Google's master software for some Android phones includes a hidden feature that is insecure and could be activated to allow remote control or spying on users, according to a security company that found it inside phones at a U.S. intelligence contractor. From a report: The feature appears intended to give employees at stores selling Pixel phones and other models deep access to the devices so they can demonstrate how they work, according to researchers at iVerify who shared their findings with The Washington Post. The discovery and Google's lack of explanation alarmed the intelligence contractor, data analysis platform vendor Palantir Technologies, to the extent that it has stopped issuing Android phones to employees, Palantir told The Post.
"Mobile security is a very real concern for us, given where we're operating and who we're serving," Palantir Chief Information Security Officer Dane Stuckey said. "This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally." The security company said it contacted Google about its findings more than 90 days ago and that the tech giant has not indicated whether it would remove or fix the application. On Wednesday night, Google told The Post that it would issue an update to remove the application. "Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update," said company spokesperson Ed Fernandez. He said distributors of other Android phones would also be notified.
"Mobile security is a very real concern for us, given where we're operating and who we're serving," Palantir Chief Information Security Officer Dane Stuckey said. "This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally." The security company said it contacted Google about its findings more than 90 days ago and that the tech giant has not indicated whether it would remove or fix the application. On Wednesday night, Google told The Post that it would issue an update to remove the application. "Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update," said company spokesperson Ed Fernandez. He said distributors of other Android phones would also be notified.
Google sells spyware? You don't say! (Score:5, Funny)
I'm utterly shocked. My illusion are shattered...
Re: (Score:1)
Now nail them via Sueware!
Re: Google sells spyware? You don't say! (Score:2)
Pot calling Kettle... (Score:5, Insightful)
Listening to Palantir complain about spyware installed on Android does have a certain "pot calling the kettle black" sense to it.
Re: (Score:3)
Yes. How about "It takes one to know one"?
Re: (Score:3)
Listening to Palantir complain about spyware installed on Android does have a certain "pot calling the kettle black" sense to it.
Peter Thiel doesn't like having his secrets exposed
Re: (Score:2)
Mostly complaining because they thought they had an exclusivity contract for spying.
Re: (Score:2)
Didn't they dump iPhone too after the GPU hardware backdoor was disclosed?
Pine64 ftw?
Re: (Score:2)
I'm more curious about their statement of "unvetted insecure software". Are they saying they've had access to and gone through all of Android's code base? If not, are they saying they implicitly trust Google for some software but not for others?
This entire story reeks of virtue signalling.
Re: (Score:3)
It's easy to say it's unsecure. It connects to a remote server for provisioning/instructions. And it does that over HTTP, so it's vulnerable to MITM attacks.
Re: Pot calling Kettle... (Score:2)
Re: (Score:2)
Obviously I can't mod your comment, but it's funny!
OOPS my bad: CORRECTED non-paywalled link (Score:3)
http://archive.today/DeMZg [archive.today] Sorry for my initial error folks.
Endless CAPTCHAs (Score:2)
Both your links give me endless CAPTCHAs and never show the actual page.
Hidden insecure features? (Score:2)
Are they usually not hidden?
Another reason to try CalyxOS or LineageOS (Score:2)
The Pixel hardware is excellent. A Googled OS can never be trusted. Same for Samsung or any phone from Verizon or ATT.
CalyxOS is not that difficult.
Re: (Score:1)
Also, GrapheneOS for Google phones is very well thought out, minimal, private, and secure, plus ultra easy to install. Actually, Graphene is probably the most secure and private phone OS you can get. I'd use it myself, but I like the Samsung hardware, and had a nice sammy thrown at me last time I renewed my contrac
Re: (Score:1)
Soooo much more secure!!
https://www.theguardian.com/technology/2022/aug/18/apple-security-flaw-hack-iphone-ipad-macs
https://www.macrumors.com/2022/08/18/vpns-for-ios-are-broken-says-researcher/
https://arstechnica.com/information-technology/2022/04/a-year-after-apple-enforces-app-tracking-policy-covert-ios-tracking-remains/
https://techcrunch.com/2024/07/10/apple-alerts-iphone-users-in-98-countries-to-mercenary-spy
Fear mongering (Score:5, Informative)
"Exploitation of this application on a user phone requires both physical access to the device and the user’s password."
Well, if you have that, then all bets are off.
Re: (Score:2)
I have read a few places that it also only applies to Pixel phones sold by Verizon
Showcase.apk = Package in Question (Score:3)
WashingtonPost.com - Google sold Android phones with hidden insecure feature, companies find [washingtonpost.com]
The story blurb forgot to mention the actual package name from the article.
Re: (Score:3)
Showcase.apk = com.customermobile.preload.vzw (Score:5, Informative)
This is the info below on my Google Pixel 6 running Android 14. It shows up as "Retail Demo Mode" with timestamp of 2008-12-31 18:00:00 and has permissions to install and delete packages along with the ability to run on start-up, in the background, and to manage tasks in the foreground and background, and ability to write secure and external storage, along with reboot and pretty much do whatever it wants.
You can check for this package yourself on your own device with the Android SDK Platform Tools using the adb.exe utility.
Android SDK Platform Tools [android.com]
oriole:/ $ pm list packages -f -U --show-versioncode com.customermobile.preload.vzw
package:/product/priv-app/Showcase/Showcase.apk=com.customermobile.preload.vzw versionCode:26 uid:10094
Below is the information about the package.
255|oriole:/ $ pm dump-package com.customermobile.preload.vzw
Receiver Resolver Table:
Non-Data Actions:
com.customermobile.preload.ManualStart:
66c0adf com.customermobile.preload.vzw/com.customermobile.preload.StartOnBoot filter 3d4b1f5
Action: "com.customermobile.preload.ManualStart"
android.intent.action.BOOT_COMPLETED:
66c0adf com.customermobile.preload.vzw/com.customermobile.preload.StartOnBoot filter ecac32c
Action: "android.intent.action.BOOT_COMPLETED"
Category: "android.intent.category.DEFAULT"
com.customermobile.preload.StartOnBoot:
66c0adf com.customermobile.preload.vzw/com.customermobile.preload.StartOnBoot filter 8469b8a
Action: "com.customermobile.preload.StartOnBoot"
Domain verification status:
Permissions:
Permission [com.customermobile.preload.StartOnBoot.PERMISSION] (8da7e30):
sourcePackage=com.customermobile.preload.vzw
uid=10094 gids=[] type=0 prot=signature
perm=PermissionInfo{fdcd538 com.customermobile.preload.StartOnBoot.PERMISSION}
flags=0x0
Permissions:
Permission [com.customermobile.preload.vzw.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION] (9a8aa9):
sourcePackage=com.customermobile.preload.vzw
uid=10094 gids=[] type=0 prot=signature
perm=PermissionInfo{b233a76 com.customermobile.preload.vzw.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION}
flags=0x0
Regi
Re: (Score:2)
Thanks for the info. I looked into how to disable it on a stock Pixel without root privileges, and the following command appears to suspend it via adb shell:
cmd package suspend com.customermobile.preload.vzw
I followed up with the following commands to verify it was suspended:
dumpsys package com.customermobile.preload.vzw | grep -i "suspended"
The suspend setting seems to persist across a reboot as well.
That's a nice change of pace. (Score:2)
A hidden feature that's insecure is a lot nicer than the out in the open stuff that's insecure. Thanks, Google! You're doing your part to keep the pain out of our eyes!
Re: (Score:2)
As it says... (Score:2)
..Android. :-)
Three-letter agency (Score:2)
It's a problem when other people can spy too: Sucks to be you.
Why would Google rent out ROM-space like a Chinese discount brand? I say Chinese but it's actually the Korean brands doing this, the most. Back to the topic, Google providing the same lack of security as their competitors, is nonsensical: Surely, they weren't thinking it's THEIR hardware, they can do whatever for an extra dollar?
Maybe a three-letter agency demanded a security-hole: You know, exactly what the USA assumes China did.