''Massive'' security hole uncovered in HTC Android phones

HTC device owners reportedly have reason to worry today, after it was discovered that a first-party app was leaking huge amounts of personal information.

Android Police has done some digging into a suite of logging tools, dubbed HtcLoggers, that were loaded onto a range of HTC phones in a recent update. While the exact purpose of the tools is not known, they collect a bevy of information including, but not limited to, location, user accounts, phone numbers, system logs and some SMS data.

Here's the kicker - it is apparently possible for any app that uses Android's INTERNET permission to access - and therefore copy off the device - any of that information. Given that most apps that access the web or display ads request the INTERNET permission, the consequences of this find are, as Artem Russakovskii of Android Police puts it, massive.

Reportedly only phones with the stock Sense firmware are affected. Using a proof of concept app, the EVO 4G, EVO 3D, Thunderbolt, EVO Shift 4G, MyTouch 4G Slide and some Sensation models have been found vulnerable to data theft via the HtcLoggers app.

Put simply, any app with the INTERNET permission running on the aforementioned phones can access at least:

  • ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
  • ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
  • ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
  • ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
  • BATTERY_STATS Allows an application to collect battery statistics
  • DUMP Allows an application to retrieve state dump information from system services.
  • GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
  • GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
  • GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
  • READ_LOGS Allows an application to read the low-level system log files.
  • READ_SYNC_SETTINGS Allows applications to read the sync settings
  • READ_SYNC_STATS Allows applications to read the sync stats

As the Android Police report notes, it's important to make clear that this isn't a vulnerability of the Android OS - HTC has chose, for whatever reason, to gather a large amount of personal data and through what appears to be lax security, make it simple for a malicious app to take.

According to Engadget, HTC has issued a short statement, with a spokesperson saying that the company takes customers' security ''very seriously'' and will be working to provide an update as soon as they've verified the issue exists as reported.

In the meantime, users with rooted phones can delete the HtcLoggers apk from /system/app/HtcLoggers.apk. Users running an AOSP-based ROM like CyanogenMod are also reportedly protected.

Check out a video of the proof of concept app in action below.

Image Credit: Android Police

Thanks to /- Razorfold for the news tip.

Report a problem with article
Previous Story

Leaked Nokia Searay picture surfaces but could be faked [Update]

Next Story

Oxford University can't send email to Hotmail [Update]

41 Comments - Add comment