UPDATE: HTC has admitted to some of its smartphones being vulnerable to an attack that allows a hacker to find out where you are, who you have called and sent text messages to and disable your phone remotely.
“… There is a vulnerability that could potentially be exploited by a malicious third-party application,” the company said in a statement yesterday evening. “So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.”
HTC said it was working “very diligently to quickly release a security update” that would resolve the issue on affected devices. “Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly.”
A recent update to several Android-based HTC devices has resulted in the installation of tools that are collecting a treasure trove of personal data without permission, according to a recent report. Security researcher Artem Russakovskii found that any app that requests – android.permission.internet – a standard for apps that access the Web or show ads, can also access things like location history, phone numbers, SMS data, as well as a list of user accounts and logins.
In news that will doubtlessly trouble HTC smartphones owners, a security team have uncovered a “massive security vulnerability” in HTC Android devices that allows any application with Internet access to gain access to private data, including user accounts, email addresses, GPS location, text message data and phone numbers. The vulnerability is said to affect HTC smartphones running the latest version of HTC’s software, including the EVO 3D, EVO 4G, Thunderbolt, and others.
The glitch was first reported by Android Police’s Artem Russakovskii, who said he was “quite speechless”
The vulnerability was discovered by – Trevor Eckhart, Justin Case and Artem Russakovskii from Android Police – concerns a suite of logging tools included in recent HTC specific updatess to the Android operating system in HTCs EVO and Thunderbolt models, the modifications to the Android OS collect a swathe of information from the user’s phone. They also leave the phones vulnerable to nefarious types, who are then able to forward that data to wherever on they like on the internet.
“It’s like leaving your keys under the mat and expecting nobody who finds them to unlock the door,” says Russakovskii.
The list of compromised data includes:
- List of user accounts, including email addresses
- Last known GPS location and history of previous locations
- Phone numbers from the phone log
- SMS data, including phone numbers and encoded text
- System logs, which track everything your running apps do
- System information, including build number, bootloader version, CPU info, running processes, list of installed apps, battery info and status, and network info, including IP addresses.
Eckhart and his team only released the information after having contacting HTC on September 24th and receiving no real response for five days. The team sent info of the vulnerability to HTC in the hope that making the security vulnerability public. HTC clearly hasn’t reacted at all, which prompted Android police to out the issue. The team at Android Police believes that HTC is looking into the issue, there’s been no statement from the company as yet.
The team has also uncovered an app added to Android OS by HTC called – androidserver.apk – that is a remote access server that could allow HTC or third parties access to the phone. Eckhart says that, while the addition of the app “could end up being insignificant,” it is still “very suspicious.” Although the app isn’t started by default, it isn’t clear what or who can trigger it.”
While open source software – such as Android – has a heap of advantages over closed systems, this vulnerability the Android Police team claims to have uncovered highlights one of the major downsides of open source software.
Phones running stock HTC Sense firmware are affected, including the EVO 4G, EVO 3D, Thunderbolt, EVO Shift 4G, MyTouch 4G Slide, and some Sensation models. There are “most likely others – we haven’t verified them yet, but you can help us by downloading the proof of concept above and running the APK,” Russakovskii wrote.
Hopefully, now that the problem has been outed, HTC will release an update to address it’s shimozzle. Until then, Eckhart says the only way to patch the vulnerability is to root your phone – which will void the warranty. If you do decide to go down the rooting path, Eckhart recommends the removal of HtcLoggers, which can be found at /system/app/HtcLoggers.apk.
source: android police