Cybernews researchers analyzed the new Pixel 9 Pro XL smartphone’s web traffic, focusing on what a new smartphone sends to Google. The results show that Google’s latest flagship smartphone raises concerns about user privacy and security. It frequently transmits private user data to the tech giant before installing any app. Moreover, the research team has discovered that it potentially has remote management capabilities without user awareness or approval.
“Every 15 minutes, Google Pixel 9 Pro XL sends a data packet to Google. The device shares location, email address, phone number, network status, and other telemetry. Even more concerning, the phone periodically attempts to download and run new code, potentially opening up security risks,” said Aras Nazarovas, a security researcher at Cybernews.
Cybernews has contacted Google about these findings. However, researchers did not obtain a response before publishing.
To read the complete research, click here.
Key research takeaways:
-
Private information, including the user’s email address, phone number, location, app list, and other telemetry and statistics, was repeatedly sent in the background to various Google endpoints, including Device Management, Policy Enforcement, and Face Grouping.
-
Every 15 minutes, the device sends a regular authentication request to an endpoint called ‘auth.’
-
The phone also requests a ‘check-in’ endpoint around every 40 minutes.
-
The phone constantly requests new “experiments and configurations,” tries accessing the staging environment, and connects to device management and policy enforcement endpoints, suggesting Google’s remote control capabilities.
-
The Pixel device connected to services that were not used, nor explicit consent was given, such as Face Grouping endpoints, causing privacy and ownership concerns.
-
Another Google feature, Voice Search, was connecting to its servers sporadically—sometimes every few minutes, sometimes not communicating for hours. It sent potentially excessive and sensitive data, including the number of times the device was restarted, the time elapsed since powering on, and a list of apps installed on the device, including the sideloaded ones.
-
Moreover, the Pixel device periodically calls out to a Staging environment service (‘enterprise-staging. sandbox’) and attempts to download assets that do not yet exist.
-
This reveals the capability of remotely installing new software packages.
-
In some conditions, the calculator app leaks calculations history to unauthenticated users with physical access.
Research Methodology
Researchers used a “man-in-the-middle” approach to intercept the traffic between a new Pixel 9 Pro XL and Google’s servers.
On a brand-new phone with a new Google account and default settings, they installed the Magisk app to gain deep (root) access to the phone’s system. Researchers then proxied the inbound and outbound traffic and used a custom security certificate to decrypt and examine the communications.
Rooting the phone disables AI features such as Google Gemini Assistant, Pixel Studio, and potentially some other features. Therefore, this method did not allow for the capture of complete traffic.
The collected traffic was not modified at any point, and researchers did not manually interact with endpoints nor attempt to verify captured secrets.
