2011-10-02

Security Holes in Android HTC phones.

A security hole found in some HTC Android phones could give apps with Internet permissions access to information like a user’s location and their text messages, Android Police reported today. The vulnerability is part of HTC’s Sense UI and affects a subset of the brand’s most popular phones, including the HTC Thunderbolt and the EVO 4G.

The affected HTC phones have an application package titled HTCLoggers.apk installed with root-level access. Apps with Internet permissions can access HTCLoggers.apk, which provides access to information like GPS data, WiFi network data, memory info, running processes, SMS data (including phone numbers and encoded text), and system logs that can include information like e-mail addresses and phone numbers.
When called upon, the logging program opens a local port that will provide this data to any app that asks for it. Apps can send the data off to a remote server for safekeeping, as shown by a proof-of-concept app that Android Police researchers developed.

The authors note that the flaw can’t be fixed in the stock Sense UI without an update or patch from HTC. The owners of the relevant phones (a partial list: Thunderbolt, EVO 3D, EVO 4G, EVO Shift 4G) can delete HTCLoggers from their devices if they root the phones.

While the report doesn’t note any concrete examples of nefarious use of the HTCLogger data, this is far more access than Google allows via Android by default—typically, the OS doesn’t let information of this type off a device without direct consent. HTC has made no official reply to inquiries from the researchers, and did not respond immediately to Ars’ requests for comment.