We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Massive Security Vulnerability in HTC Android Phones Claimed

HTC apparently modified Android in a way that leaves some of its phones open to hacks and data theft, researchers reveal.

Security researchers say they've uncovered a flaw in several smartphone models produced by HTC that gives any application that has Internet access the keys to a trove of information on the phone, including e-mail addresses, GPS locations, phone numbers, and text message data.

Phone models claimed to be affected by the vulnerability are the EVO 3D, EVO 4G, Thunderbolt, and possibly HTC's Sensation line.

The researchers, Trevor Eckhart, Artem Russakouskii, and Justin Case, say they informed HTC of the vulnerability on September 24, but after HTC failed to respond to their warning for five days, they went public with their knowledge on Friday.

The security gap in the HTC phones stems from modifications the company made in versions of the Android operating system in EVO and Thunderbolt models. Those changes add a suite of logging tools to the system. "If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in," Russakouskii wrote yesterday at the Android Police website.

That's not the case here, he notes. The modifications made to Android by HTC allow any application that you give permission to access the Internet from the phone access to a plethora of sensitive information on the device. What's more, it also has permission to send the data that it finds wherever it wants on the Net without your knowledge.

"Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the [Android] Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of e-mails," Russakouskii explains.

He compares the vulnerability to leaving the keys to your house under the welcome mat and not expecting anyone to find them.

Data that can be peeked at by any app with Internet access include:

  • E-mail addresses
  • Last known network and GPS locations.
  • Phone numbers from phone logs.
  • SMS data, including phone numbers and encoded text.
  • System logs, which track everything your apps do, such as logging into secure locations.
  • System information such as onboard memory, CPU data, running processes and list of installed apps, including permissions they use and your user IDs for them.

In addition to the logger suite, Russakouskii notes, HTC has further modified Android with the addition of something named androidvncserver.apk. While the addition of that app, which is designed to give third parties remote access to a phone, might end up being insignificant, he did find it "suspicious." "The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely?" he asks.

According to Eckhart, there's no way at this time to patch the vulnerability without jailbreaking the phone, which, of course, will void the warranty. If you do hack the phone's OS, you can remove HTC's logger suite, htcloggers.apk, found in /system/app/.

This latest vulnerability exposes the problems that can occur in an open source environment like Android. While it allows phone makers and application developers to make creative changes to the basic system, it can also open the door to abuse of a phone owner's data.

(See also "Keep Malware Off Your Android Phone: 5 Quick Tips.)

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Stop running out of cellular data on your iPhone, see which apps use the most data