• Announcements
  • Debunking fake stock Pixel OS vulnerability from an EDR company

Wired was manipulated into spreading misinformation to market Palantir and iVerify by misrepresenting a vulnerability in a disabled demo app as being a serious problem which could be exploited in the real world. They should retract the article but won't.

https://wired.com/story/google-android-pixel-showcase-vulnerability/

iVerify are scammers and anyone paying them money should rapidly stop doing it and remove their malware from their devices. The real security risk is giving remote code execution on your devices to one of these sketchy EDR companies lying about their capabilities and discoveries.

This is one of multiple carrier apps in the stock Pixel OS which we don't include in GrapheneOS. We were aware of it already since we had to go through them and figure out why they exist. We could embrace this fearmongering and leverage it for marketing, but we aren't dishonest.

"iVerify vice president of research [...] points out that while Showcase represents a concerning exposure for Pixel devices, it is turned off by default. This means that an attacker would first need to turn the application on in a target's device before being able to exploit it."

"The most straightforward way to do this would involve having physical access to a victim's phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings. Google's Fernandez emphasized this limiting factor as well."

Wired should retract the article and explain how they're going to do better. They keep publishing this kind of fearmongering misinformation from information security industry charlatans. There are real remote code execution flaws being fixed in Android and iOS but they push this.

GrapheneOS has gone through each of the carrier apps included on Pixel generation to determine their purpose and consequences of including or excluding them. Here it is being excluded from the new adevtool project for ProtonAOSP and GrapheneOS in 2021:

https://github.com/GrapheneOS/adevtool/commit/9c5ac945f#diff-95eb7b50f2781158146e721436d7c5d6f7421755906307a6b7a1f727bb20d53eR109

GrapheneOS has publicly posted about the carrier apps included on Pixels and their privileged permissions on numerous occasions. We talked about the ones which get enabled automatically based on using a SIM from a carrier rather than a disabled demo without an automatic trigger.

Here's a thread from 2017 posted from our project's previous Twitter account which was stolen in 2018:

https://x.com/CopperheadOS/status/903362108053704704

Incredibly important to note that this thread directly involves the CEO of Trail of Bits that's now claiming their iVerify team discovered these apps.

Stock Pixel OS no longer gives the same level of access to the active carrier. This disabled demo app was never a real part of the problem but it was part of the apps we referring to and excluding. We didn't claim credit for discovering this when we became aware of it in 2015.

Dan Guido, CEO of the company behind iVerify, has repeatedly called out charlatans in the infosec industry. It's incredibly hypocritical to use the same tactics and expect not to be held to the same standard. We're not doing anything he hasn't done himself many times before.

It's ridiculous to falsely claim something is a backdoor and then get upset your EDR software remotely monitoring devices and opening up new security holes is called malware. An app running within an increasingly strict sandbox trying to defend devices is an unworkable approach.

Since this fits into a standard narrative pushed by mainstream news coverage, their dubious iVerify product will get a massive amount of free promotion from it. They should be criticized for claiming credit for discovering this when they didn't and for misrepresenting it.

Someone linked this article not taking claims from the company promoting themselves at face value, which is far better than most of the news coverage which got completely duped into believing in a completely a fabricated threat:

https://therecord.media/google-to-remove-app-pixel-vulnerable

Still not good enough.

Palantir is a mass surveillance company aiding with egregious human rights violations. CEO of Trail of Bits that's working with them is a diehard Apple fanboy and has been dismissing GrapheneOS for years. Here's some real data to ponder:

https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation


This post is also available on social media platforms as a thread:

X: https://x.com/GrapheneOS/status/1824138861989204099
Mastodon: https://grapheneos.social/@GrapheneOS/112967309987371034
Bluesky: https://bsky.app/profile/grapheneos.org/post/3kzrm4woiji2u

    This is unfortunate.

    Wired, in my opinion, became nothing much better than a rag a few years back. Guess times are tough in the online journalism sphere and they have to revert to fear and division to get clicks.

    locked They gave a response to most of the news publications but it was largely ignored and downplayed. You can see they're arguing against what's being said in the 2nd article we linked:

    https://therecord.media/google-to-remove-app-pixel-vulnerable

    They likely gave almost exactly the same response to each news publication and most of them simply largely ignored it and went along with the security company (iVerify). Trail of Bits created iVerify and spun it off into a separate company a year ago but is still closely tied to it. They may have portrayed themselves as not being tied to iVerify and helped push the story. The whole thing is incredibly shady and they shouldn't be surprised we fight back against their misinformation.

    I just read the article, and it appears that both iVerify and Palantir, both have a grudge against Android, and Pixel phones in particular. There appears to be little credibility to the story.

      locked The CEO would be an Apple fanboy, it's almost funny with a name like “iVerify”.

      The mainstream press is now announcing that a serious vulnerability has been lurking in Pixel phones for years, when in fact it hasn't. It's been deactivated and only concerns Pixel phones sold by Verizon in the USA, it is really disproportionate, yes this story has no credibility.

        • Edited

        Xtreix this story has no credibility.

        I see in their website (Trail of Bits) they claim to be "trusted by top organizations" and Google is included in the list. I don't know if it's true and what this really mean.

          Hat Trail of Bits used to be a reputable organization and did useful contract work. They've fallen very far. The CEO and the company can't really take all the credit for their past employees and contractors doing good work. They're going to start struggling to get real talent due to their partnership with Palantir and this kind of spreading misinformation to promote themselves. People aren't going to want to work there.

          It just seems that Palantir and iVerify are trying to create bad press for Android, and particularly the Pixel line, and smear them, when the exact opposite is true. One does not have to look further than Cellebrite's recent report on the latest Pixel line to be able to debunk these false asssertions.. The likely reason, they are frustrated by the Titan M2 Chip. These accusations are just a way to leverage pressure against Google. Governments and digital security companies have done this before. Google is not alone in being attacked.

          GrapheneOS This is one of multiple carrier apps in the stock Pixel OS which we don't include in GrapheneOS. We were aware of it already since we had to go through them and figure out why they exist. We could embrace this fearmongering and leverage it for marketing, but we aren't dishonest.

          Could you explain why you needed to go through the carrier apps? Surely, they are not a part of AOSP. Do you base some of GrapheneOS on stock Pixel OS? Just curious.

          And the fact that there is a diabled package in stock Pixel OS shouldn't be a problem (like these companies claim). The big problem is that Google Play and Services has all the privileges that this package would have had (if it was enabled). But for some reason, the society as a whole trust that Google does not abuse this unprecedented access that they have on billions of android phones. If I am not wrong about my assumption. Please correct me if I am wrong.

            Panda-na The dozen Verizon carrier apps including this one for retail demos in their stores are a Verizon Android user issue, not a Pixel issue. GrapheneOS doesn't include these kinds of carriers apps.

            Do you base some of GrapheneOS on stock Pixel OS? Just curious.

            We need firmware, configurations, a subset of the driver libraries (the kernel drivers are fully open source though), etc. from the stock OS on the supported devices. The amount of that stuff we need has decreased a lot with Tensor Pixels and we hope it decreases further. If we had our own devices with a hardware partnership, we could build some of the firmware ourselves.

            Pixels include a suite of Verizon apps like all other Android devices with full Verizon support. GrapheneOS doesn't fully support Verizon with features like Wi-Fi calling due to not including these. Sane carriers don't require this. Verizon is uniquely bad. The Verizon apps are completely disabled on Pixels unless you have an active Verizon SIM. The way they're disabled is equivalent to them being uninstalled without a Verizon SIM and then installed on-demand when you have one. They require a lot of privileged permissions to function but it's a non-issue if you aren't a Verizon user.

            The retail demo app they found a vulnerability in is pretty much irrelevant though. It's not active even with a Verizon SIM. You would need to set up the device to be in that retail demo mode. The security vulnerability was relevant to the demo devices in Verizon stores, but wiping them via factory reset purges all of it. Verizon said they aren't using it anymore and it has been removed from the stock Pixel OS in Android 15 which can be seen from the Android 15 Beta but it wasn't a real issue for Pixel users even if they did use Verizon.

            It's ridiculous for this to get so much attention when it's not even a valid low severity vulnerability. It really shows how hopeless mainstream media is at covering privacy and security issues. They get completely manipulated to push marketing from security companies scamming people.

            https://x.com/cryps1s/status/1824077327577591827

            This is a fake story. Turns out that getting security information from the CISO of a mass surveillance company trying to build a dystopian police state providing police with "predictive policing" software largely based on racial stereotypes is a bad move.

            Trail of Bits iVerify EDR product runs in the standard app sandbox on iOS and Android. It can hardly do anything beyond static scanning of APKs. It's a crippled antivirus app marketed as detecting sophisticated attackers. It's a scam and Trail of Bits has lost all credibility.

            Trail of Bits is working closely with Palantir and is focused on getting government contracts. They've created a fake news story to promote their EDR product which has been propagated across mainstream media. Journalists didn't do basic due diligence and spread false marketing.

            Verizon has a suite of low-level apps for Android devices to fully use their network. These are included on any Android device with full Verizon support. Pixels disable the packages unless a Verizon SIM is active. This is equivalent to having them installed/uninstalled on demand.

            One of the apps in this suite is the Showcase retail demo app for Verizon to show off phones in their store. It requires manually up the phone as a retail demo device. Verizon says they don't use it anymore. This demo app is where Trail of Bits / iVerify found an HTTP connection.

            In order to exploit Verizon's demo app not verifying a signature for the downloaded config or even fetching it via HTTPS, it would already need to be set up to use retail demo mode. The contractors Verizon paid to implement it did a bad job, but it's not a Pixel security issue.

            Since it's an obsolete app that Verizon isn't using anymore, the stock Pixel OS already removed it in Android 15 which is visible in the Android 15 Beta. The other Verizon apps needed to fully use their network which get activated with a Verizon SIM are of course still included.

            GrapheneOS has been omitting these carrier apps since around 2015. This meant GrapheneOS users weren't able to use Sprint and can't use certain features on Verizon like Wi-Fi calling. Apple has a special deal with Verizon and implements what the control they want as part of iOS.

            The restrictions set in Verizon's carrier configuration and the functionality implemented by these apps is a major part of why they prevent installing an alternate OS on any device sold by Verizon. They want to control how people use features like tethering and Wi-Fi calling.

            Every month, a bunch of real vulnerabilities are patched for Android on Pixels. A subset of these including all High and Critical severity issues in Android itself get backported to older Android releases for non-Pixels too. iVerify's finding isn't even a Low severity issue.

            Supposedly reputable news organizations including the Washington Post, New York Times, Wired, etc. are largely acting as press release distribution service for governments and corporations. If it fits a narrative they want to tell, there's no attempt to question or confirm it.

            Trail of Bits employees should think over whether they want to be part of building a police state with pervasive surveillance as Palantir partners. You're not even working at a reputable security company anymore. Trail of Bits has become the charlatans they used to criticize.

            I think instead of writing a whole essay about the issue, which doesn't concern GOS, it would
            be easier to say which privileged apps are included in GOS rather than specifying which are not.
            Not many AOSP apps are included, it's easy to see in the source and releases, but GOS lacks the
            transparency of what is currently included from AOSP and for which reason. I'm talking about stock
            AOSP apps, and the logic behind including them or not. This hasn't been clear on the website page.
            Just to rephrase, I'm not saying GOS is not transparent behind the development and goals.
            There are just few apps that are inherited from AOSP which I believe should not be there.
            Settings > Apps > All Apps > 3 dots ... > show system. Many questionable stuff there.

            Many security companies throw hoax stories like that here and then, it's fine, it's a marketing thing
            for their product. Not sure that GOS has to "debunk" those marketing fluffs each time and end up
            with bad relations among potential customers of those companies, since when you end up in a so-called
            "Twitter debate" it will just make regular users question who is defending what. My 2 cents.

              23Sha-ger Settings > Apps > All Apps > 3 dots ... > show system. Many questionable stuff there.

              There are many threads here on the forum where people found something "questionable" and asked about it then someone explained the purpose of the app or service. All of GrapheneOS's code is on GitHub for anyone to look at. There's nothing questionable there. If you have a question, ask it, but don't just make vague claims that there's questionable apps or services included in GrapheneOS.

              23Sha-ger Many security companies throw hoax stories like that here and then, it's fine, it's a marketing thing for their product.

              It's not fine and in this case it's relevant to GrapheneOS. GrapheneOS users in the community saw the news and were concerned that the app in question is included in GrapheneOS. Similarly, GrapheneOS users outside of our community may see the "news" and worry, but may not see the project's response to the article.

              One article that I read even said that the Android team's response was something to be concerned about. If Android is insecure, what does that say about GrapheneOS? It makes total sense that GrapheneOS project members publicly respond to this fake news story.

              23Sha-ger Settings > Apps > All Apps > ⋮ > show system. Many questionable stuff there.

              Everything is "questionable". And pretty much everything contains bugs!

              GrapheneOS is an open-source project. Pull requests and security notifications can be made via standard mechanisms. The web site contains detailed build instructions, so individuals can build their own variants, including leaving "questionable" components out or replacing them.

              Thank you for delivering such a carefully debloated but also feature-enabled OS! You are doing great work.

              I encourage everyone to donate to GrapheneOS, as this OS is crucial.

              kebab_definite
              That exactly was my thought while reading it!
              Because I am also a user of SimpleX, the alternative messenger app with the newest and greatest technology, which messengers today can have.

              Unfortunately, its founder Evgeny Poberezkin let make the audits by Trail of Bits.
              One about the protocols maybe in September and a complete new audit at the end of this year.

                @GrapheneOS nice work, I was about to ask and then spotted this thread :-)