Article <v9mdek$145d$1@nnrp.usenet.blueworldhosting.com>

Deutsch English Français Italiano
<v9mdek$145d$1@nnrp.usenet.blueworldhosting.com>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!weretis.net!feeder9.news.weretis.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!nnrp.usenet.blueworldhosting.com!.POSTED!not-for-mail
From: Andrew <andrew@spam.net>
Newsgroups: comp.mobile.android
Subject: Re: Washington Post says Google sold Android phones with hidden insecure feature
Date: Fri, 16 Aug 2024 02:27:32 -0000 (UTC)
Organization: BWH Usenet Archive (https://usenet.blueworldhosting.com)
Message-ID: <v9mdek$145d$1@nnrp.usenet.blueworldhosting.com>
References: <v9ljlv$n71$1@nnrp.usenet.blueworldhosting.com> <v9ls35$sf9a$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 16 Aug 2024 02:27:32 -0000 (UTC)
Injection-Info: nnrp.usenet.blueworldhosting.com;
	logging-data="37037"; mail-complaints-to="usenet@blueworldhosting.com"
User-Agent: NewsTap/5.5 (iPad)
Cancel-Lock: sha1:4g1znGMozGxovgilte4dr2xj1Vg= sha256:Irk0fdd3TOI0WcYaQP79Q9/DU6xjNF8XDKVDn2ChEoE=
	sha1:wj8upMLzELBw62l3whyklWc5SBE= sha256:CPgeigrxyr2Cgp1xQNFXeKcfxmzQRUUgNRcNxuzR0CI=
X-Face: VQ}*Ueh[4uTOa]Md([|$jb%rw~ksq}bzqA;z-.*8JM`4+zL[`N\ORHCI80}]}$]$e5]/i#v  qdYsE`yh@ZL3L{H:So{yN)b=AZJtpaP98ch_4W}
Bytes: 2955
Lines: 33

Jeff Layman wrote on Thu, 15 Aug 2024 22:31:17 +0100 :

> I assume that showcase.apk was removed when grapheneOS was installed as 
> that is intended for use in Pixel phones.

You're correct that "showcase.apk" seems to be the culprit, according to
this news article about the Pixel flaw which shipped since 2017 apparently.
 *Researchers claim most Google Pixel phones shipped with exploitable bloatware since 2017*
 <https://www.engadget.com/mobile/smartphones/researchers-claim-most-google-pixel-phones-shipped-with-exploitable-bloatware-since-2017-185926564.html>

 "The issue relates to "Showcase.apk," a bit of software made for
  Verizon and used to put Pixel devices in demo mode while displayed 
  in retail stores.

  The software downloads a configuration file over an unencrypted 
  web connection, which - because of Showcase's deep access - might
  allow bad actors to perform remote code execution or remote 
  package installation on the device.

  The especially troubling part of this discovery is that Showcase 
  can't be uninstalled at the user level. And while it is not 
  enabled by default, iVerify said there could be multiple ways 
  to activate the software. iVerify alerted Google to the 
  vulnerability in May; thus far there's no confirmed evidence
  it's been exploited in the wild.

  A Google spokesperson told Wired that Showcase is no longer being
  used by Verizon and that Google would have a software update to
  remove the software from all Pixel devices in the coming weeks.

  Additionally, the rep said Showcase is not present in the line 
  of Google Pixel 9 devices announced during the Made by Google 
  event this week."