Google removes hidden Pixel app that could have left millions of phones vulnerable to malware, spyware and other attacks

Google Pixel 8 shown held in hand
(Image credit: Tom's Guide)

If you own a Pixel phone that you bought through Verizon, it could be vulnerable to man-in-middle attacks, malware and spyware thanks to a pre-installed app.

According to a new blog post from the mobile device security firm iVerify, a severe vulnerability in this app could be exploited by hackers to launch all sorts of different attacks targeting Pixel users.

To make matters worse, this app can’t be uninstalled because it’s part of the firmware image that ships with Pixel devices, as Google doesn’t allow end users to alter it for security reasons.

Here’s everything you need to know about this hidden Pixel app and what steps Google is taking to remedy this situation, along with some tips on how to keep your Android smartphone safe from hackers.

Weaponizing demo mode

The app in question is an APK file called Showcase which comes pre-installed on Pixel phones sold through Verizon. As you might have guessed from the name, it’s designed to ‘showcase’ Pixel-specific features when a device is placed in demo mode at Verizon’s retail stores.

The app itself isn’t inherently malicious but it contains a severe vulnerability that can be exploited by hackers. However, iVerify has yet to see this flaw weaponized by hackers in the wild.

Since the app is installed using HTTP instead of the more secure HTTPS, it creates a backdoor which can be used by cybercriminals to compromise Pixel devices. For instance, a hacker could leverage it to access system privileges and take over a device. They could also use it to distribute malicious apps, remote code and to “configure files to compromise the app development chain and alter the app’s functionality” according to iVerify and Palantir Technologies’ research.

A Google spokesperson provided further insight into the matter in an email to Tom's Guide:

"This is not an Android platform nor Pixel vulnerability, this is an APK developed by Smith Micro for Verizon in-store demo devices and is no longer being used. Exploitation of this app on a user phone requires both physical access to the device and the user's password. We have seen no evidence of any active exploitation. Out of an abundance of precaution, we will be removing this from all supported in-market Pixel devices with an upcoming Pixel software update.”

If you don’t own a Pixel phone yet or are considering upgrading to one, Google points out that the app won’t come pre-installed on the Pixel 9, Pixel 9 Pro and the Pixel 9 Pro XL. At the same time, the search giant is also notifying other Android OEMs about the risks an app like this one poses to users.

How to keep your Pixel phone safe from hackers

A hand holding a phone securely logging in

(Image credit: Google)

Even if you don’t own a Pixel phone purchased through Verizon, you still need to be on the lookout for hackers that want to take over your device and steal the sensitive data stored on it.

To keep your Pixel phone safe, you first want to ensure that Google Play Protect is enabled as this pre-installed security app can scan all of your existing apps and any new ones you download for malware. From here, you may also want to consider using one of the best Android antivirus apps alongside it as they provide additional protection along with some other useful extras like a VPN or a password manager.

The biggest thing that sets Google’s Pixel devices apart from the other entries on our list of the best Android phones is that they receive security patches and updates before other smartphones do. However, to benefit from this, you need to install them when they become available. Keeping your phone up to date and running the latest software is the easiest way to stay safe from hackers who often leverage older vulnerabilities in their attacks.

Google is in the process of having this hidden Pixel app removed and going forward, I doubt Verizon will require an app like this to come pre-installed on the phones it sells.

More from Tom's Guide

Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.