iVerify Discovers Android Vulnerability Impacting Millions of Pixel Devices Around the World

iVerify discovered that a preinstalled system app, Showcase.apk (developed by Smith Micro), shipped on many Google Pixel devices since September 2017, fetches a configuration over unsecured HTTP and runs with excessive system privileges; this allows remote code execution, remote package installation, and exposes devices to MITM-based code injection and spyware. The app cannot be removed by users, may be enabled via methods requiring access, and Google has not yet provided a patch following iVerify's disclosure.