HTC Android smartphones including the Evo 3D, the Evo 4G, and the Thunderbolt contain a flaw that gives Internet-connected apps installed on the devices access to personal information such as text message data, location info, e-mail addresses, and phone numbers, according to a trio of security researchers.
Researcher Artem Russakovskii says that he, Justin Case, and Trevor Eckhart have discovered a vulnerability involving logging tools that HTC recently installed on the devices during a software update.
Such tools, Russakovskii writes, might normally be used for remote analysis of problems on a device, among other things. But the problem here is that, because of this purportedly misguided update, “any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the Web or shows ads)” can, Russakovskii says, get access to:
- “the list of user accounts, including email addresses…
- last known network and GPS locations and a limited previous history of locations
- phone numbers from the phone log
- SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info”
For now, the only way for users to address the issue is to wait for a fix from HTC or to jailbreak the phone and remove the logging tools, according to Russakovskii. He advises owners of the devices to be especially vigilant about downloading suspicious apps.
Russakovskii says the trio contacted HTC about the problem on September 24, waited five business days, and then went public when they hadn’t heard back. “As far as we know, HTC is now looking into the issue, but no statement has been issued yet,” he writes.
Vulnerable devices, according to Russakovskii, might also include the Evo Shift 4G, the MyTouch 4G Slide, the upcoming Vigor, some Sensations, and “most likely others.”
“It’s like leaving your keys under the mat and expecting nobody who finds them to unlock the door,” Russakovskii says. You can read his complete post here.