The disclosing party (iVerify) sell a dubious app marketed to protect you against sophisticated remote attacks like Pegasus but cannot do what it claims. They also collaborated with Palantir, a surveillance company trying to sell "predictive policing" tech. It is a scaremongering tactic meant to market their dubious products.
quotingWired was manipulated into spreading misinformation to market Palantir and iVerify by misrepresenting a vulnerability in a disabled demo app as being a serious problem which could be exploited in the real world. They should retract the article but won't.
nevent1q…crf9
https://www.wired.com/story/google-android-pixel-showcase-vulnerability/
iVerify are scammers and anyone paying them money should rapidly stop doing it and remove their malware from their devices. The real security risk is giving remote code execution on your devices to one of these sketchy EDR companies lying about their capabilities and discoveries.
This is one of multiple carrier apps in the stock Pixel OS which we don't include in #GrapheneOS. We were aware of it already since we had to go through them and figure out why they exist. We could embrace this fearmongering and leverage it for marketing, but we aren't dishonest.
"iVerify vice president of research [...] points out that while Showcase represents a concerning exposure for Pixel devices, it is turned off by default. This means that an attacker would first need to turn the application on in a target's device before being able to exploit it."
"The most straightforward way to do this would involve having physical access to a victim's phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings. Google's Fernandez emphasized this limiting factor as well."
Wired should retract the article and explain how they're going to do better. They keep publishing this kind of fearmongering misinformation from information security industry charlatans. There are real remote code execution flaws being fixed in Android and iOS but they push this.