Security is becoming an issue more and more on phones running Google’s Android platform. The rule of thumb usually is that there is either a platform vulnerability which is usually fixed by Google or there are malware-infected apps in the Android Market which are eventually deleted by Google (both from the Market and off devices).
The recent vulnerability seems to be HTC’s fault; apparently there’s a huge security flaw which affects Android phones manufactured by the Taiwanese phone-maker (U.S. models only according to some reports). Models believed to be affected are the EVO 4G, EVO 3D, Thunderbolt, EVO Shift 4G, MyTouch 4G Slide, the upcoming Vigor, some Sensation models and probably others too.
On to the ugly part: AndroidPolice has uncovered that HTC’s logging tools collect and leak sensitive information. What is leaked? User account lists, last known network and GPS locations and a limited previous history of locations, phone numbers from the phone log, SMS data, including phone numbers and encoded text, and system logs, just to name a few.
Turns out the applications that can access this information are not malware-infected or evil; any application which requests android.permission.INTERNET (basically permission to access the internet, and there are a ton that do) can get access to the aforementioned data.
AndroidPolice believes that the data leakage is HTC’s fault, HtcLoggers.apk to be more specific. How to solve the problem? Well, there’s no easy way as of now: you can either root and delete /system/app/HtcLoggers.apk or you can wait for HTC to issue a fix.
The Taiwanese manufacturer has been contacted with the findings but after five days passing without a response, in light of the RFPolicy, these findings were made public. While there was no information from HTC, they are believed to be aware of the issue and working on a fix. We’ll get back with more details as soon as we find them out. If you want to read more (like proof of concept), hit up the source link below.
Credits for finding the vulnerability go out to Trevor Eckhart, Justin Case and the AndroidPolice team.