Massive HTC Android Vulnerability Discovered, Leaves Security Expert 'Speechless'

"I am quite speechless right now", begins Artem Russakovskii over at Android Police as he posts about a "massive" security flaw in HTC Android devices that allows malicious hackers to access phone numbers, GPS, SMS, email addresses and more.

The affected devices include EVO, 3D, 4G and Thuderbolt and apparently the flaw goes so deep that the guys at Android Police are discovering new issues with each new test or examination:

What Trevor found is only the tip of the iceberg -- we are all still digging deeper -- but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

- the list of user accounts, including email addresses and sync status for each last known network and GPS locations and a limited previous history of locations

- phone numbers from the phone log

- SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)

- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Even worse, for apps that only need one type of information, like internet permissions, this vulnerability still grants access to other areas of the device (like location, logs, even battery stats, just to name a few).

Basically, it sounds as if you're using one of these HTC Android devices, you've been walking around with your fly undone and a big "eff me over" sign on your back.

The security research is ongoing and we'll update with any fixes or security patches that get issued. The only way this gets fixed is an update from HTC itself, says the guys at A.P.

[Android Police]



    Why would it just be HTC android devices? I would have thought any software flaws would be across all android devices....

      Manufacturers release custom-branded firmware.

      According to Android Police, HTC has included a specific app (HTCLogger.apk) in their firmware which provides an interface to the data for anyone with the permission mentioned in the article. That .apk is where the vulnerability seems to stem.

      I recommend you read the Android Police article for more info. It's fairly indepth.

        Cheers Tim. I didnt read the article but the way you described it makes perfect Sense (pardon the pun)

    I'd expect it's something to do with the version of Sense running on those devices.

    So...this sounds like someone that installs a malicious app and approves it to connect to the internet area can get traced....How does this prove as a fault for the phone? Sounds like its idiot users installing bad apps to me?
    Also how is this only HTC?

    Unless im reading something wrong?

      This says all HTC android phone come with this logger installed. He didn't download a bad app, he simply made an app that can read the log file all HTC android phone make.

      The point is that when you install an app that require permissions for "internet", it should only be given permissions for internet, not call logs, system logs, GPS location etc.

    CM7 ftw...

      Bit of a no brainier really after HTC let us down on 2.3

    This is what happens when you open source your OS and allow clueless hardware companies to screw up your system and also have next to no approval system in place for Applications.

      You're an idiot.
      Having the OS open-sourced allows vulnerabilities such as this to be exposed and patched, making the entire system overall more secure. The point here is, HTC screwed up, not Google.
      I'm going to guess you're most likely an iOS user, if so, I'd rather an open-OS where I can modify things to my liking, and have deeper integration with my hardware, then a closed-up proprietary OS which requires teams of extremely talented devs. just to open the access to the root folder.

        This IS Google's fault; Google allows the likes of HTC to fiddle, opening more wholes.

        So your magical OpenSource licence will fix this bug quicker hey? Rubbish. Compare how quickly vulnerabilities get pushed out via iTunes compared to 'manufacturer->carrier->user' in Android world.

        You can brag about your ability to mod things to your liking all you want, but at the end of the day, me and most consumers want a phone that 'just works' and is secure with a quick central source of patches. Personally I have more important things in my life than ‘customising’ my phone to make me feel ‘1337’ (or whatever), just saying, "idiot".

          "most consumers want a phone that ‘just works’ and is secure with a quick central source of patches"
          A central source that treats real issues as fabrications until the problem becomes too big to ignore, you mean. See: iPhone tracking (and yes, Google was guilty of this, don't think I'm being that selective), OSX malware, yellowed screens, death grip. Need I go on?

        And btw, 'HTCLogger.apk' is part of Sense, which is not OpenSource, so your magical OpenSource community won't be able to hold hands, kiss and patch this.

        Typical Android fanboi who thinks their tech geniuses.

          their =/= they're. I do find it humourous that your position rests on our supposed intellectual elitism and, well, there you go.

          Google makes an open-source OS > Manufacturers release custom firmware and skins > Software vulnerability is found > Blame... Google? Your powers of logical deduction are staggering.

          "‘HTCLogger.apk’ is part of Sense, which is not OpenSource, so your magical OpenSource community won’t be able to hold hands, kiss and patch this."

          Something tells me you don't know what Open Source or XDA actually means.

    Am i right in thinking a patch will have to come from HTC to then be approved by your carrier before you can get rid of this security issue?

      Also in the Android Police article.

      You can get root access to your device and then uninstall the HTCLogger.apk, or freeze it I suppose. Or better yet, install custom ROM / Firmware like CyanogenMod.

      Otherwise it's on HTC to, as you said, release an update that goes through carriers (or possibly their website, depending) to devices.

      Probably not. HTC phones have had to fix similar issues before and were able to do it quickly, bypassing carriers.

    Checked HTC Desire (non carrier-branded) - The htclogger apk is not present.

    This is why its much better to buy a device only running stock Android - customisation by OEMs doesn't add anything you can't get from widgets, and in this case actually makes your experience much worse!

    Sense was useful in the days of the HTC Hero... but no longer.

    Nothing wrong with android OS app permission system, but the HTC app it-self: HTCLogger.apk. It collect a a lot of system information, then run a http server without encryption and password protection. Of course any app have internet access permission can connect to it, and send command then retrieve data.

    Good time to switch to WP7 folks :P

      or, if the problem is only HTC-specific, install CyanogenMod on your HTC phone.

        or just install Cyanogenmod anyway.. its awesome

          +9001 this

    Good time to download an AOSP rom then!

    Yeah, time to start blaming everything, strip naked, eat poo, and run around with your arse on fire and hide under the bed till they release a fix... to go by the comments here.

    Don't panic. It's a nasty security hole, but not tooo serious: no passwords, photos or anything can be accessed and you need a specially crafted app to get at this stuff anyway, so just be careful what you install till they DO fix it :)

    Sense used to be good back when Android looked like unpolished garbage, but now it looks totally fine. We don't need the fancy animations any more and the Sense-features can also usually be found elsewhere.

    Manufacturers should stop relying on custom skins to differentiate their product, and instead let their hardware do the talking.

Join the discussion!

Trending Stories Right Now