Google and a cybersecurity company are disputing claims that an application on Android phones made the devices vulnerable to cyberattacks and spyware.

On Thursday, cybersecurity firm iVerify published a report on an Android package called “Showcase.apk” that had been installed on a large number of Pixel devices shipped worldwide since September 2017.

The Showcase.apk code runs at the system level and, according to iVerify, is designed to turn a phone into a demo device, thereby fundamentally changing the way the operating system works.

The company said the application “leaves millions of Android Pixel devices vulnerable to man-in-the-middle (MITM) attacks and gives cybercriminals the ability to inject malicious code and dangerous spyware.”

Researchers at iVerify said they discovered the app on a device used by an employee of tech giant Palantir.

A Palantir executive said iVerify flagged one of the company’s Android devices as insecure earlier this year, triggering an investigation. The Palantir spokesperson confirmed iVerify’s finding that the application package “leaves the operating system open to hackers.”

“Palantir will be completely removing Android devices from the market over the next few years, not only because of this vulnerability, but also because of previous discoveries,” a company spokesperson said.

When asked by Recorded Future News, Google denied numerous claims made by iVerify and stated that the issue is “neither a vulnerability in the Android platform nor in Pixel.”

A Google spokesperson said the package was developed by remote access software company Smith Micro for Verizon, which installed it on devices for in-store demos but no longer uses it.

“Exploiting this app on a user’s phone requires both physical access to the device and the user’s password. We have not seen any evidence of active exploitation,” the Google spokesperson said.

“As an abundance of caution, we will be removing this from all supported Pixel devices in the market with an upcoming Pixel software update. The app is not present on Pixel 9 series devices. We are also notifying other Android device manufacturers.”

The Google spokesperson added that the application is owned by Verizon and required by Verizon on all Android devices. He noted that according to iVerify’s report, no evidence was found that there is a way to exploit the reported vulnerabilities on devices that do not have the Showcase application enabled, unless the attacker has physical access to the device and developer mode is enabled.

A Verizon executive said they were aware of the issue, but told Recorded Future News that the feature that allows in-store demos of Android devices is “no longer used by Verizon in stores and is not used by consumers either.”

“We have not seen any evidence of exploitation of this feature. As a precautionary measure, Android (Original Equipment Manufacturer) will remove this demo feature from all supported devices,” the Verizon spokesperson said.

Rocky Cole, co-founder of iVerify, disagreed with Google’s assessment, telling Recorded Future News that Google “made a business decision to force the Verizon software on all Pixel users without giving them the option to remove it.”

“The idea that physical access is required to exploit the package is just an assumption,” Cole said. “This is an Android vulnerability, regardless of what Google says.”

Part of the problem, according to iVerify, is that the application runs at the system level, potentially allowing someone to “fundamentally alter the phone’s operating system.” iVerify said it sent a report of the issue to Google but never learned whether Google planned to issue a patch or remove the software.

Researchers at iVerify explained that users cannot remove the app themselves and that this has created an “untrustworthy ecosystem” that forces security officials to “choose between the risk of leaving the bloatware running on employees’ phones and banning Androids at the same time.”

“While we have no evidence that this vulnerability is being actively exploited, it still has serious implications for enterprise environments as millions of Android phones are used in the workplace every day,” Cole said.

The company’s researchers believe that cybercriminals could exploit vulnerabilities in the app’s infrastructure to take over a device or use it to distribute other malicious Android packages.

The researchers also questioned why Google needs to install a third-party application on every Pixel device “when only a very small number of devices would need the Showcase.apk.”

“On most devices iVerify researchers analyzed, the app was inactive by default and had to be manually activated,” they said, adding that they had redacted the app’s activation method but warned that there “may be other ways to activate the app or situations where the app is enabled by default.”