Google LLC has committed to removing a dubious application found on some or all Pixel phones after receiving a report that it poses a serious security vulnerability, although the severity of that vulnerability is disputed.

A report released today by mobile security firm iVerify LLC in collaboration with the security team at Palantir Technologics Inc. describes the discovery of a serious Android vulnerability that, according to the report, affects millions of Pixel devices worldwide. The vulnerability is believed to make Android accessible to cybercriminals to conduct man-in-the-middle attacks, malware injections, and spyware installations.

The vulnerability affects an Android app package called Showcase.apk. According to the iVerify report, the application runs at the system level and can fundamentally modify the phone’s operating system. The application package is installed via unsecured HTTP protocols, opening a backdoor through which cybercriminals can easily compromise the device.

The report notes that users cannot remove the app because it is part of the firmware image and Google does not allow end users to modify the firmware image for security reasons.

“While we have no evidence that this vulnerability is being actively exploited, it still has serious implications for enterprise environments, as millions of Android phones are deployed in the workplace every day,” said Rocky Cole, co-founder and chief operations officer of iVerify, in a statement sent to SiliconANGLE. “Google is essentially giving CISOs the impossible choice of embracing insecure bloatware or banning Android entirely.”

The report also claimed that Google was also made aware of the vulnerability and provided iVerifty with a detailed report on the issue. “It is unclear whether Google will issue a patch or remove the software from the phones to mitigate the potential risks,” the report said.

While Google has acknowledged that the file could cause security issues, the search engine giant is divided on how serious the actual security risk is.

A Google spokesperson who spoke to CNET claims that the app was developed by Smith Micro Software Inc. for Verizon Communications Inc. and is not an Android or Pixel vulnerability. It also claims that the app was only used for in-store devices and is no longer used.

Furthermore, Google denies the risk involved. “Using this app on a user’s phone requires both physical access to the device and the user’s password… we have not seen any evidence of active use,” the spokesperson added. “As an abundance of caution, we will be removing this from all supported Pixel devices in the market with an upcoming Pixel software update.”

The claims come after Google announced its latest Pixel lineup at an event on August 13. Google announced a new family of Pixel 9 smartphones as well as the Pixel 9 Pro Fold, which feature the artificial intelligence of the company’s Gemini family of models.

Image: SiliconANGLE/Ideogram