If you’ve got one of HTC’s popular Android phones, such as the Evo 4G, Evo 3D or Thunderbolt, your phone may be giving apps you’ve installed a huge amount of personal data — information that you didn’t authorize those apps to have access to.
HTC Android smartphones including the Evo 3D, the Evo 4G, and the Thunderbolt contain a flaw that gives Internet-connected apps installed on the devices access to personal information such as text message data, location info, e-mail addresses, and phone numbers, according to a trio of security researchers.
Justin Case, and Trevor Eckhart have discovered a vulnerability involving logging tools that HTC recently installed on the devices during a software update.
Such tools, might normally be used for remote analysis of problems on a device, among other things. But the problem here is that, because of this purportedly misguided update, “any app on affected devices that requests a single android permission.INTERNET (which is normal for any app that connects to the Web or shows ads)” can get access to:
- “the list of user accounts, including email addresses…
- last known network and GPS locations and a limited previous history of locations
- phone numbers from the phone log
- SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info”
Owners of HTC smartphones, a security team is claiming to have uncovered a “massive security vulnerability” in HTC Android devices that allows any application with Internet access to gain access to private data, including user accounts, email addresses, GPS location, text message data and phone numbers. The vulnerability is said to affect HTC smartphones running the latest version of HTC’s software, including the EVO 3D,EVO 4G, Thunderbolt, and others.
Technical issues : A new security vulnerability has been found in new HTC devices that leaks vital device and user information, according to a report by Android Police. The report highlights that new updates by HTC have included a full range of logging tools that collects user account data, GPS locations, SMS data, phone numbers, system logs and running processes.
Now, the problem is that even common apps with just basic permissions for Internet can access all the above data. So, any application having access to android.permission.INTERNET can have access to a user’s personal details.
In fact, HtcLogger has a whole interface which accepts a variety of commands (such as the handy:help: that shows all available commands). Oh yeah – and no login/password are required to access said interface.Furthermore, it’s worth noting that HtcLogger tries to use root to dump even more data, such as Wi Max state, and may attempt to run something called htc serviced .
HtcLoggers is only one of the services that is collecting data, and I haven’t even got to the bottom of what else it can do, let alone what the other services are capable of doing. But hey – I think you’ll agree that this is already more than enough.
Patching The Vulnerability :It is not possible without either root or an update from HTC. If you do root,I would rather recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).
Stay safe and don’t download suspicious apps. Of course, even quality-looking apps can silently capture and send off this data, but the chance of that is lower.
HTC’s Response :As far as i acknowledged , HTC is now looking into the issue, but no statement has been issued yet.
HTC, you got yourself into this mess, and it’s now up to you to climb out of the hole as fast as possible, in your own interest.Otherwise you are out of the Android world.
Credit : Trevor Eckhart who found the vulnerability and Justin Case for digging deep into the problem and alerting the public.