Millions of Pixel phones could be vulnerable to a new cyberattack – here's what you need to know

Google Pixel 8 review front straight handheld
(Image credit: Future | Alex Walker-Todd)

Cybersecurity firm iVerify recently discovered a serious vulnerability affecting millions of Pixel smartphones worldwide and published their findings in a new report. According to the document, the offending software in question is called Showcase.apk. 

It was originally developed by third-party company Smith Micro Software for demo devices inside Verizon stores. Employees at these locations would have deep access to a Pixel phone’s many functions in order to “demonstrate how they work” to interested customers. Normally, Showcase is dormant; it doesn’t do anything. However, it is possible for a skilled-enough hacker to activate it via a backdoor.

The APK (Android Package Kit) receives its configuration file from an insecure domain on Amazon Web Services. A bad actor could, theoretically, intercept these connections or impersonate the website and inject a Pixel phone with malware or spyware. Plus, since Showcase has “excessive system privileges”, it’s easy for cybercriminals to compromise a target.

What’s particularly scary is Showcase has been a part of the Google Pixel ecosystem since September 2017. And the worst part is the average user cannot remove the APK through the standard uninstallation process as it is considered a system-level app. iVerify states “only Google can fix” this.

Fix underway

As bad as things may be, there is good news. First, it appears no one, not even the bad actors, knew about the exploit. A Google spokesperson told The Washington Post that they haven’t seen any attacks that could be attributed to Showcase. They claimed there isn’t any evidence of “active exploitation” and went as far as to suggest such an attack “would be unlikely.”

Google is well aware of the problem. The tech giant told Forbes they are taking action “out of an abundance of precaution” and planning to roll out a patch to all “supported in-market Pixel devices”. Don’t worry about the Pixel 9 series as none of the four models have Showcase.apk.

Verizon has also been made aware of the report. They state that they no longer use the Showcase function, and similarly, the carrier didn’t see any evidence of ongoing exploitation. However, like Google, Verizon is removing the function from supporting phones “out of an abundance of precaution”.

Patch availability

We reached out to Google for clarification and the same spokesperson from earlier shared similar information although they added that this isn't an Android or Pixel vulnerability. Instead, the tech giant is pointing the finger at Smith Micro. They tell us the patch for Pixel phones is rolling out within the coming week and Google is notifying other Android manufacturers, implying that third-party devices could have the same problem.

No word on when third-party Androids will receive their own fix. Presumably, it all be at the behest of the other brands.

If you're looking for ways to improve device security, check out TechRadar's seven tips on how to keep your smartphone safe.

You might also like

TOPICS
Cesar Cadenas
Contributor

Cesar Cadenas has been writing about the tech industry for several years now specializing in consumer electronics, entertainment devices, Windows, and the gaming industry. But he’s also passionate about smartphones, GPUs, and cybersecurity. 

Read more
Google Pixel 8 review Pixel 8 Pro cameras
Is your Google Pixel 9 screen flickering or are the haptics a lot more intense? You aren't alone, and thankfully there's a fix
 In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
Fraude en ligne phishing
Google forced to step up phishing defenses following ‘most sophisticated attack’ it has ever seen
the YouTube logo on a screen in front of other YouTube logos covering a black background
Worrying YouTube security flaw exposed billions of user emails
chrome firefox extensions
Google Chrome extensions hit in major attack - dozens of developers affected, so be on your guard
A finger touching the google chrome icon in the Windows 10 start menu
A new Chrome browser highjacking attack could affect billions of users - here's how to fight it
Latest in Software
DeepSeek on an iPhone
OpenAI calls on US government to ban DeepSeek, calling it ‘state-subsidized’ and ‘state-controlled’
An iPhone showing the ChatGPT logo on its screen
4 ways ChatGPT Tasks can help you take control of your life – trust me it's my favorite AI tool of 2025 so far
The Google Gemini logo against a black background.
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's upcoming Flash 2.0 built-in image upgrade
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all
Voice cloning
I cloned my voice in seconds using a free AI app, and we really need to talk about speech synthesis
Gemini Gems on a laptop
Now everybody gets Gems as part of Google Gemini for free, you can start making your own custom Gemini chatbots
Latest in News
Jason Sudeikis' Ted Lasso pointing at someone in Ted Lasso season 2
Believe it, baby: Ted Lasso season 4 is officially in development for Apple TV+ and Jason Sudeikis will reprise his role as the titular soccer coach
Quordle on a smartphone held in a hand
Quordle hints and answers for Saturday, March 15 (game #1146)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Saturday, March 15 (game #377)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Saturday, March 15 (game #643)
Rainbow Six Siege X promotional art.
The Tom Clancy's Rainbow Six Siege X 6v6 mode might finally pull me away from Black Ops 6
A close up of the new web version of Apple Music Classical
Apple Music Classical is now available on the web, but its Mac app is still nowhere in sight