It’s 2024, we’re no stranger to clickbait
Earlier this month, major tech outlets picked up on findings from iVerify, a security company who claimed they discovered a malicious Android package (‘Showcase.apk’) on millions of phones.
The app vulnerability leaves millions of Android Pixel devices susceptible to man-in-the-middle (MITM) attacks, giving cybercriminals the ability to inject malicious code and dangerous spyware.
But iVerify was hardly the first to discover it. In actuality, GrapheneOS had removed Showcase.apk back in 2021 along with a multitude of unnecessary system and ‘carrier apps’.
What’s a carrier app? Major telecommunications providers such as Verizon make deals with Google to ensure that special apps are included in the stock operating system so they don’t need to be installed later on.
The app was required by Verizon on all Android devices, and Showcase.apk was a demo application to be activated in Verizon stores - but use of the app had discontinued according to a Verizon representative. Verizon also forces Apple to implement the controls they want as part of Apple’s iOS.
Carrier apps like these can have an automatic trigger based on what SIM card you use.
Verizon’s carrier apps would only become active if you were using a Verizon SIM card, and a stock Android phone.
And for this particular app, you would need hands on access to the phone and its PIN code to manually setup the demo app.
So all in all, there was almost zero chance of this app being used in an attack. Clickbait much?
Why the Carrier Apps?
Verizon notably is the only telecommunications provider that forbids unlocking phones sold in its stores, so that alternative operating systems cannot be installed.
It also walls off important functionality like tethering and Wi-Fi calling in these carrier apps, so if you are using a de-googled operating system, these features will be unavailable.
What Should I do?
Use a de-googled phone with GrapheneOS. It will offer you the most protection over iPhones against physical attempts to break into the phone using forensics extraction software like Cellebrite, popular with US law enforcement.
Additionally, if you’re using Verizon you should think about switching to a carrier that doesn’t restrict your use of features.
The Problem With Clickbait
The issue with overblown security news is that it misleads people while there is continuous work on patching real security vulnerabilities that hardly get the spotlight. For example, there were 47 different vulnerabilities patched for Pixel phones in the month of June, most of them critical or high.
Is there something deeper going on?
Its of note that iVerify is gaining traction in the media with the Washington Post, CNET, and major news networks covering this nothing-burger of a vulnerability.
Of note is iVerify’s partnership with Palantir, who apparently identified the security issue and is going to get rid of all Android devices.
Palantir Technologies was founded by Peter Thiel and known for its many ties to intelligence agencies and being founded by the CIA’s venture capital arm (In-Q-Tel).
Its known for landing huge military and public health contracts that give it access to feed off of personal data to build customized surveillance software.
Their greatest hits include ‘Tiberius’, that collected sensitive patient info in order to distribute vaccines. And Project Maven, a Pentagon program focused on identifying objects & people from drone footage.
And of course, their predictive policing program with the city of New Orleans that scraped data from social media to identify gang members that no one in the city knew about.
iVerify’s app which they are trying so hard to promote can’t do much. The GrapheneOS mastodon account had this to say:
“Trail of Bits iVerify EDR product runs in the standard app sandbox on iOS and Android. It can hardly do anything beyond static scanning of APKs. It's a crippled antivirus app marketed as detecting sophisticated attackers. It's a scam and Trail of Bits has lost all credibility."
What Do You Think?
Should telecommunications providers be able to force apps in operating systems?
Resources
GOS Thread drilling into the issue
https://grapheneos.social/@GrapheneOS/112972984066659887
Palantir and Predictive Policing
https://www.theverge.com/2018/2/27/17054740/palantir-predictive-policing-tool-new-orleans-nopd
Protection from Celebrite (Law enforcement cracking software)
Who is ultimately behind GrapheneOS and has it ever had any ties with the US government?