The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level. The application retrieves the configuration file from a single US-based, AWS-hosted domain over unsecured HTTP, which leaves the configuration vulnerable and can makes the device vulnerable. (...) Removal of the app is not possible through a user’s standard uninstallation process, and at this time, Google has not offered a patch for the vulnerability. It appears that Showcase.apk is preinstalled in Pixel firmware and included in Google’s OTA image for Pixel devices.The app is not enabled by default, but there might be multiple methods to enable it. The iVerify research team investigated one method requiring physical access