The Inquirer-Home

Vulnerability in HTC smartphones exposes user data

Updated HTC is planning an urgent patch
Mon Oct 03 2011, 14:05

AN ANDROID EXPERT has discovered a serious vulnerability in several HTC smartphone models that allows almost any app to read sensitive data stored on the devices.

The security issue was identified by Android developer Trevor Eckhart and is the result of HTC failing to properly secure information collected by a recently introduced logging application.

It's not clear why this data collection app was installed during recent HTC phone updates, but Eckhart found that it exposes a lot of sensitive information like user accounts, email addresses, GPS history, phone numbers listed in the phone log, SMS data and even low-level system details.

According to the Android developer any app with the INTERNET permission - meaning most of the apps out there - is able to read this data. Android Police reports that some of the system information exposed in this manner could also be used to clone a device.

In addition, another app installed by HTC is called "androidvncserver.apk", which suggests it has remote access capabilities. This information has not been confirmed and the app is not started by default, but it could be used in the future.

The device manufacturer HTC was contacted on 24 September, but it apparently failed to respond within five days, which prompted Eckhart to publicly disclose the vulnerability.

HTC EVO 4G, EVO 3D, Thunderbolt, Shift 4G and Mytouch 4G Slide devices have been confirmed as vulnerable. Some models from the HTC Sensation product line and others are also suspected to be affected.

The smartphone maker is analysing the report and working on a response. "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible," the company said in a statement, according to the BBC.

"We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken," it added.

Unfortunately, until an official patch becomes available, the only mitigation is removing the "/system/app/HtcLoggers.apk" file, a process that requires root access.

Update
HTC has confirmed the vulnerability and is planning to release an urgent patch for the affected phone models once it's properly tested. Meanwhile, the company has asked users to be careful about what applications they install and where they obtain them.

"In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application," the smartphone maker told BBC.

"A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability," it added. µ

 

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?