Security firm iVerify found stock Google Pixel devices' app "showcase" With Excessive System Privileges, Including Remote Code Execution (update from GrapheneOS devs added) (iverify.io)

submitted 3 months ago* (last edited 3 months ago) by yogthos@lemmygrad.ml to c/technology@hexbear.net

9 comments fedilink hide all child comments

Verify discovered an Android package, "Showcase.apk," with excessive system privileges, including remote code execution and remote package installation capabilities, on a very large percentage of Pixel devices shipped worldwide since September 2017

The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level

The application retrieves the configuration file from a single US-based, AWS-hosted domain over unsecured HTTP, which leaves the configuration vulnerable and can makes the device vulnerable

Cybercriminals can use vulnerabilities in the app's infrastructure to execute code or shell commands with system privileges on Android devices to take over devices to perpetrate cybercrime and breaches

Removal of the app is not possible through a user’s standard uninstallation process, and at this time, Google has not offered a patch for the vulnerability

It appears that Showcase.apk is preinstalled in Pixel firmware and included in Google’s OTA image for Pixel devices

Now imagine this happend to a Chinese phone from any manufacturer, may it be Xiaomi, Oneplus or whatever - could you imagine the outcry?

update from GrapheneOS devs explaining that the exploit isn't as bad as it initially looks https://grapheneos.social/@GrapheneOS/112967309987371034

you are viewing a single comment's thread
view the rest of the comments

[-] yogthos@lemmygrad.ml 10 points 3 months ago

You genuinely telling me western media wouldn't have field day with this if the same thing was found on a phone from a Chinese company?

[-] krolden@lemmy.ml 4 points 3 months ago

No I'm telling you this is not that big of a deal and any device like this (especially with the stock firmware) you use probably has even more unpatched vulnerabilities.

Also I didn't say anything about what the media response would be like, I'm only speaking about the vulnerability itself. Your jump to make this political is just reactionary. Yes theres more attention on vulnerabilities from Chinese company built devices but thats nothing new.

[-] yogthos@lemmygrad.ml 10 points 3 months ago

My whole point was about the double standard applied to US and Chinese tech. You were specifically asking what the outcry would be over, and you yourself admit that there would indeed be outcry in the west if it was a Chinese company. The fact that you don't get the political angle here is entirely a you problem.

this post was submitted on 17 Aug 2024

44 points (95.8% liked)

technology

23308 readers

307 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.

founded 4 years ago

MODERATORS

Jadzia_Dax@hexbear.net

context@hexbear.net

EmmaGoldman@hexbear.net

SexUnderSocialism@hexbear.net

gaycomputeruser@hexbear.net

ZoomeristLeninist@hexbear.net