Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Android Google Privacy Security

Google Sold Android Phones With Hidden Insecure Feature, Companies Find (washingtonpost.com) 30

Google's master software for some Android phones includes a hidden feature that is insecure and could be activated to allow remote control or spying on users, according to a security company that found it inside phones at a U.S. intelligence contractor. From a report: The feature appears intended to give employees at stores selling Pixel phones and other models deep access to the devices so they can demonstrate how they work, according to researchers at iVerify who shared their findings with The Washington Post. The discovery and Google's lack of explanation alarmed the intelligence contractor, data analysis platform vendor Palantir Technologies, to the extent that it has stopped issuing Android phones to employees, Palantir told The Post.

"Mobile security is a very real concern for us, given where we're operating and who we're serving," Palantir Chief Information Security Officer Dane Stuckey said. "This was very deleterious of trust, to have third-party, unvetted insecure software on it. We have no idea how it got there, so we made the decision to effectively ban Androids internally." The security company said it contacted Google about its findings more than 90 days ago and that the tech giant has not indicated whether it would remove or fix the application. On Wednesday night, Google told The Post that it would issue an update to remove the application. "Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update," said company spokesperson Ed Fernandez. He said distributors of other Android phones would also be notified.

This discussion has been archived. No new comments can be posted.

Google Sold Android Phones With Hidden Insecure Feature, Companies Find

Comments Filter:
  • by Rosco P. Coltrane ( 209368 ) on Thursday August 15, 2024 @11:09AM (#64708686)

    I'm utterly shocked. My illusion are shattered...

  • by david.emery ( 127135 ) on Thursday August 15, 2024 @11:18AM (#64708716)

    Listening to Palantir complain about spyware installed on Android does have a certain "pot calling the kettle black" sense to it.

    • by srg33 ( 1095679 )

      Yes. How about "It takes one to know one"?

    • by haruchai ( 17472 )

      Listening to Palantir complain about spyware installed on Android does have a certain "pot calling the kettle black" sense to it.

      Peter Thiel doesn't like having his secrets exposed

    • Mostly complaining because they thought they had an exclusivity contract for spying.

    • Didn't they dump iPhone too after the GPU hardware backdoor was disclosed?

      Pine64 ftw?

    • I'm more curious about their statement of "unvetted insecure software". Are they saying they've had access to and gone through all of Android's code base? If not, are they saying they implicitly trust Google for some software but not for others?

      This entire story reeks of virtue signalling.

      • It's easy to say it's unsecure. It connects to a remote server for provisioning/instructions. And it does that over HTTP, so it's vulnerable to MITM attacks.

    • Having pre-exploited units eats into their bottom line
  • Are they usually not hidden?

  • The Pixel hardware is excellent. A Googled OS can never be trusted. Same for Samsung or any phone from Verizon or ATT.

    CalyxOS is not that difficult.

    • I was going to say the same thing ... Billion dollar company can't get a few techies to install Lineage or Graphene... or just create a de-googled software manifest ... like I did for my clients??

      Also, GrapheneOS for Google phones is very well thought out, minimal, private, and secure, plus ultra easy to install. Actually, Graphene is probably the most secure and private phone OS you can get. I'd use it myself, but I like the Samsung hardware, and had a nice sammy thrown at me last time I renewed my contrac
      • The company doing this deep analysis is called "iVerify" .... so... Yup, they switched to Apple.
        Soooo much more secure!!

        https://www.theguardian.com/technology/2022/aug/18/apple-security-flaw-hack-iphone-ipad-macs
        https://www.macrumors.com/2022/08/18/vpns-for-ios-are-broken-says-researcher/
        https://arstechnica.com/information-technology/2022/04/a-year-after-apple-enforces-app-tracking-policy-covert-ios-tracking-remains/
        https://techcrunch.com/2024/07/10/apple-alerts-iphone-users-in-98-countries-to-mercenary-spy
  • Fear mongering (Score:5, Informative)

    by war4peace ( 1628283 ) on Thursday August 15, 2024 @12:13PM (#64708906)

    "Exploitation of this application on a user phone requires both physical access to the device and the user’s password."

    Well, if you have that, then all bets are off.

  • by JakFrost ( 139885 ) on Thursday August 15, 2024 @12:23PM (#64708944)

    "The application, called Showcase.apk, is normally dormant. But iVerify was able to enable it on a device in its possession, and the company believes skilled hackers could also enable it from afar. It cannot be removed from phones through the normal uninstall process."

    WashingtonPost.com - Google sold Android phones with hidden insecure feature, companies find [washingtonpost.com]

    The story blurb forgot to mention the actual package name from the article.

    • "The issue relates to a software package called "Showcase.apk" that runs at the system level and lurks invisible to users. The application was developed by the enterprise software company Smith Micro for Verizon as a mechanism for putting phones into a retail store demo mode—it is not Google software. Yet for years, it has been in each Android release for Pixel and has deep system privileges, including remote code execution and remote software installation. Even riskier, the application is designed to

      • by JakFrost ( 139885 ) on Thursday August 15, 2024 @01:20PM (#64709106)

        This is the info below on my Google Pixel 6 running Android 14. It shows up as "Retail Demo Mode" with timestamp of 2008-12-31 18:00:00 and has permissions to install and delete packages along with the ability to run on start-up, in the background, and to manage tasks in the foreground and background, and ability to write secure and external storage, along with reboot and pretty much do whatever it wants.

        You can check for this package yourself on your own device with the Android SDK Platform Tools using the adb.exe utility.

        Android SDK Platform Tools [android.com]

        1. 1.Install Android SDK Platform Tools.
        2. 2. Enable Developer Mode on your phone by going to Settings -> System -> Press the Build Number section a few times, enter the PIN code.
        3. 3. Go to the Settings -> System -> Developer Options and enable USB Debugging.
        4. 4. Connect your phone to the USB cable to your computer.
        5. 5. Answer the prompt on your phone to accept the hash key to your computer.
        6. 6. Execute the command to see if your device is listed, and if not troubleshoot the USB connection: adb.exe devices -l
        7. 7. Execute the command to start the shell: adb.exe shell
        8. 8. Execute the command to check if the package exists: pm list packages -f -U --show-versioncode com.customermobile.preload.vzw
        9. 9. Execute the command to get package details: pm dump-package com.customermobile.preload.vzw


        oriole:/ $ pm list packages -f -U --show-versioncode com.customermobile.preload.vzw

        package:/product/priv-app/Showcase/Showcase.apk=com.customermobile.preload.vzw versionCode:26 uid:10094

        Below is the information about the package.

        255|oriole:/ $ pm dump-package com.customermobile.preload.vzw

        Receiver Resolver Table:
        Non-Data Actions:
        com.customermobile.preload.ManualStart:
        66c0adf com.customermobile.preload.vzw/com.customermobile.preload.StartOnBoot filter 3d4b1f5
        Action: "com.customermobile.preload.ManualStart"
        android.intent.action.BOOT_COMPLETED:
        66c0adf com.customermobile.preload.vzw/com.customermobile.preload.StartOnBoot filter ecac32c
        Action: "android.intent.action.BOOT_COMPLETED"
        Category: "android.intent.category.DEFAULT"
        com.customermobile.preload.StartOnBoot:
        66c0adf com.customermobile.preload.vzw/com.customermobile.preload.StartOnBoot filter 8469b8a
        Action: "com.customermobile.preload.StartOnBoot"

        Domain verification status:

        Permissions:
        Permission [com.customermobile.preload.StartOnBoot.PERMISSION] (8da7e30):
        sourcePackage=com.customermobile.preload.vzw
        uid=10094 gids=[] type=0 prot=signature
        perm=PermissionInfo{fdcd538 com.customermobile.preload.StartOnBoot.PERMISSION}
        flags=0x0

        Permissions:
        Permission [com.customermobile.preload.vzw.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION] (9a8aa9):
        sourcePackage=com.customermobile.preload.vzw
        uid=10094 gids=[] type=0 prot=signature
        perm=PermissionInfo{b233a76 com.customermobile.preload.vzw.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION}
        flags=0x0

        Regi

        • by Equuleus42 ( 723 )

          Thanks for the info. I looked into how to disable it on a stock Pixel without root privileges, and the following command appears to suspend it via adb shell:

                cmd package suspend com.customermobile.preload.vzw

          I followed up with the following commands to verify it was suspended:

                dumpsys package com.customermobile.preload.vzw | grep -i "suspended"

          The suspend setting seems to persist across a reboot as well.

  • A hidden feature that's insecure is a lot nicer than the out in the open stuff that's insecure. Thanks, Google! You're doing your part to keep the pain out of our eyes!

  • Comment removed based on user account deletion
  • ..Android. :-)

  • ... intelligence contractor ...

    It's a problem when other people can spy too: Sucks to be you.

    ... upcoming Pixel software update ...

    Why would Google rent out ROM-space like a Chinese discount brand? I say Chinese but it's actually the Korean brands doing this, the most. Back to the topic, Google providing the same lack of security as their competitors, is nonsensical: Surely, they weren't thinking it's THEIR hardware, they can do whatever for an extra dollar?

    Maybe a three-letter agency demanded a security-hole: You know, exactly what the USA assumes China did.

"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Working...