Owners of some HTC-branded Android phones may have a little cause for concern today, after it emerged that the company’s handsets may contain a huge security flaw which could, theoretically, share personal information with any third-party application.
After a bit of digging around, Android Police has discovered a suite of logging tools called ‘HtcLoggers‘ which were added to some HTC handsets during a recent software update. The exact reason for the tools being installed is as yet unknown, but what is known is what they are recording, and it doesn’t make for good reading – especially if you happen to be (un)lucky enough to own one of the affected handsets.
Here’s a rundown of what the apps collect:
- the list of user accounts, including email addresses and sync status for each
- last known network and GPS locations and a limited previous history of locations
- phone numbers from the phone log
- SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info.
But that’s not all. What really makes this all the more concerning is the fact that any application that uses Android’s ‘INTERNET’ permission also has access to this information. That means any app that uses your data connection can, in theory at least, access all the data laid out above. At that point, copying it off your device is a trivial task, should anyone really want to.
At the time of writing, HTC devices using the stock HTC Sense layer are affected. Using a proof of concept attack, the EVO 4G, EVO 3D, Thunderbolt, EVO Shift 4G, MyTouch 4G Slide and some Sensation models have all been shown to be vulnerable.
Android Police take great pains to point out that this isn’t a security vulnerability that is present in stock Android, or any other devices for that matter, but rather something that has been introduced by HTC’s team. The reasons for which, are unknown.
There is a temporary fix that users can implement, but only if a device is already rooted. Users of third-party ROMs like CyanogenMod are also unaffected.
" (a fix) is not possible without either root or an update from HTC. If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk)."
HTC has since released a short statement, claiming that the company will be looking into the issue and, if this is indeed a real thread, will seek to issue an update as soon as possible.
That’s nice of them, isn’t it?