44
submitted 3 months ago* (last edited 3 months ago) by yogthos@lemmygrad.ml to c/technology@hexbear.net

Verify discovered an Android package, "Showcase.apk," with excessive system privileges, including remote code execution and remote package installation capabilities, on a very large percentage of Pixel devices shipped worldwide since September 2017

The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level

The application retrieves the configuration file from a single US-based, AWS-hosted domain over unsecured HTTP, which leaves the configuration vulnerable and can makes the device vulnerable

Cybercriminals can use vulnerabilities in the app's infrastructure to execute code or shell commands with system privileges on Android devices to take over devices to perpetrate cybercrime and breaches

Removal of the app is not possible through a user’s standard uninstallation process, and at this time, Google has not offered a patch for the vulnerability

It appears that Showcase.apk is preinstalled in Pixel firmware and included in Google’s OTA image for Pixel devices

Now imagine this happend to a Chinese phone from any manufacturer, may it be Xiaomi, Oneplus or whatever - could you imagine the outcry?

update from GrapheneOS devs explaining that the exploit isn't as bad as it initially looks https://grapheneos.social/@GrapheneOS/112967309987371034

you are viewing a single comment's thread
view the rest of the comments
[-] communism@lemmy.ml 5 points 3 months ago

You should edit this into the op, or probably the title too since a lot of people only read the title and nothing else

this post was submitted on 17 Aug 2024
44 points (95.8% liked)

technology

23308 readers
307 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

founded 4 years ago
MODERATORS