Over a decade ago I had a Galaxy Nexus on Verizon, a carrier exclusive to the US. Verizon and Android fans who were committed to Google’s “pure” Android builds were unhappy roommates, as the phone got bogged down by Verizon apps and consistently late with OS updates. I can’t help but be reminded of it when I see a pre-loaded Verizon app deep in the bowels of a Google Pixel phone. That app, Showcase.apk, is finally disappearing.
The app is a system tool used by Verizon retail employees to give in-store demos, the kind of limited environment that showcases some of the phone’s capabilities and much of the carrier’s hyperbolic marketing. Unfortunately, it’s also a pretty glaring security hole thanks to its system-level access and the fact that regular users can’t remove it without some serious tinkering.
According to a report from iVerify and Palantir, the Showcase app contains an unsecured backdoor thanks to its ability to install over unsecured HTTP. Theoretically, it’s possible for someone to cause serious damage to a Pixel phone with the app preloaded on it, including virtually every Pixel sold by Verizon since 2017 (or as a Verizon version sold by partners like Best Buy).
The good news is that while this app shockingly leaves your phone open to attacks, these attacks rely on physical access first, and there’s no evidence that the app is actually being used as a vector in the wild.
Google decided it had to be done anyway, in a better-than-sorry approach. A Google spokesperson told Android Authority that a future Pixel software update will remove the app from “all supported Pixel devices in the market.” So every Pixel phone still getting updates: Pixel 4 and newer, including the new Pixel 9 phones when they go on sale in September.