A security hole found in some HTC Android phones could give apps with
Internet permissions access to information like a user’s location and
their text messages, Android Police
reported today. The vulnerability is part of HTC’s Sense UI and affects
a subset of the brand’s most popular phones, including the HTC
Thunderbolt and the EVO 4G.
The affected HTC phones have an application package titled
HTCLoggers.apk installed with root-level access. Apps with Internet
permissions can access HTCLoggers.apk, which provides access to
information like GPS data, WiFi network data, memory info, running
processes, SMS data (including phone numbers and encoded text), and
system logs that can include information like e-mail addresses and phone
numbers.
When called upon, the logging program opens a local port that will
provide this data to any app that asks for it. Apps can send the data
off to a remote server for safekeeping, as shown by a proof-of-concept
app that Android Police researchers developed.
The authors note that the flaw can’t be fixed in the stock Sense UI
without an update or patch from HTC. The owners of the relevant phones
(a partial list: Thunderbolt, EVO 3D, EVO 4G, EVO Shift 4G) can delete
HTCLoggers from their devices if they root the phones.
While the report doesn’t note any concrete examples of nefarious use
of the HTCLogger data, this is far more access than Google allows via
Android by default—typically, the OS doesn’t let information of this
type off a device without direct consent. HTC has made no official reply
to inquiries from the researchers, and did not respond immediately to
Ars’ requests for comment.
