A massive security vulnerability in several HTC smartphone models that allows almost any app to read sensitive data stored on the devices has been discovered by the folks at Android Police. The vulnerability apparently comes from a bunch of info-collecting logger tools that HTC pushed out to its devices through recent updates.
According to Artem Russakovskii, devices like the EVO 3D, EVO 4G, and Thunderbolt (among others) can fully reveal private user information if any app requests android.permission.INTERNET.
Any app that calls out for the INTERNET permission has access to the following, reports Russakovskii:
- the list of user accounts, including email addresses and sync status for each
- last known network and GPS locations and a limited previous history of locations
- phone numbers from the phone log
- SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
“If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk),” Russakovskii said. “Stay safe and don’t download suspicious apps. Of course, even quality-looking apps can silently capture and send off this data, but the chance of that is lower.”
Phones running stock HTC Sense firmware are affected, including the EVO 4G, EVO 3D, Thunderbolt, EVO Shift 4G, MyTouch 4G Slide, and certain Sensations. There are “most likely others – we haven’t verified them yet, but you can help us by downloading the proof of concept above and running the APK,” Russakovskii wrote.
All of the information is stored thanks to new logging tools that HTC has introduced on its newer smartphones.
Russakovskii goes on to add, “I’d like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It’s like leaving your keys under the mat and expecting nobody who finds them to unlock the door.”
Android Police provides a full “proof of concept” app which you can download, along with a video of it in action which you can view below.
Engadget has posted the following response from HTC:
HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken.