A new report reveals that many Google Pixel phones sold in recent years have a “Showcase” app installed that leaves a worrying security flaw open, but it will soon be fixed.

“Showcase” affects almost all Pixel phones and is an APK that has been pre-installed on Google devices for years. The app was developed by Smith Micro for Verizon and was used to launch a retail mode on the device. However, the app is pre-installed on “every Android version for Pixel” (out of the user’s reach), as WIRED reports.

Showcase is said to have elevated system privileges, including the ability to remotely install software or execute code. The app is designed to download a configuration file, which appears to be done over an unencrypted HTTP connection that is vulnerable to hijacking. That is the biggest concern with this app. The extensive permissions that Showcase has within Android on Pixel devices could open the devices to control by malicious third parties via the app’s permissions.

iVerify, the company that discovered the vulnerability, shared its findings with Google in May, describing the problem as “unique in some ways and quite disturbing.”

For end users, the risk here seems minimal. Although the app comes pre-installed on Pixel devices, it is disabled by default. Enabling it requires physical access to the device (and the passcode). And in our brief testing, there is no easy way to access the app.

Google also acknowledged the vulnerability and confirmed that it will remove Showcase from Pixel devices “in the coming weeks.” Google also confirmed that the app is no longer used by Verizon or Google and that there is no evidence of active exploitation of the vulnerability.

The Pixel 9 series is delivered without the “Showcase” installed.

The vulnerability was discovered by iVerify on behalf of data analytics firm Palantir. However, Google’s response to the issue was seen as “slow” and “opaque” and led to Palantir pulling Pixel devices and Android devices altogether within its company. Palantir’s chief information security officer said that Google’s response and the fact that the app was not disclosed up front “severely undermined our trust in the ecosystem.”

It is not clear whether Showcase is also installed on other Android devices, but Google is apparently “notifying other Android OEMs.”

There is no information yet on when exactly “Showcase” will be removed from all “supported” Pixel devices, but it will likely happen with the upcoming security patches.

More about Google Pixel:

Follow Ben: Twitter/XThreads and Instagram