Mobile Technology

“Massive security vulnerability” in HTC Android smartphones exposed

The team at Android Police are reporting a "massive security vulnerability" in HTC Android devices
The team at Android Police are reporting a "massive security vulnerability" in HTC Android devices

In news that will no doubt be of great concern to owners of HTC smartphones, a security team is claiming to have uncovered a "massive security vulnerability" in HTC Android devices that allows any application with Internet access to gain access to private data, including user accounts, email addresses, GPS location, text message data and phone numbers. The vulnerability is said to affect HTC smartphones running the latest version of HTC's software, including the EVO 3D, EVO 4G, Thunderbolt, and others.

The reported vulnerability, which has left those who discovered it - Justin Case, Trevor Eckhart and Artem Russakovskii from Android Police - speechless, involves a suite of logging tools included in recent HTC modifications to the Android operating system in EVO and Thunderbolt models that collect a stack of information on the user's phone. But not only do the modifications collect a swathe of information, they also allow nefarious types to send that data to wherever on the Internet they like.

"It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door," says Russakovskii.

The list of compromised data includes but is not limited to:

  • List of user accounts, including email addresses
  • Last known GPS location and history of previous locations
  • Phone numbers from the phone log
  • SMS data, including phone numbers and encoded text
  • System logs, which track everything your running apps do
  • System information, including build number, bootloader version, CPU info, running processes, list of installed apps, battery info and status, and network info, including IP addresses.
  • Eckhart only released the information after contacting HTC on September 24th and receiving no real response for five days in the hopes that making the security vulnerability public would prompt HTC to address the issue. Although the team at Android Police believes HTC is looking into the issue, there's been no statement from the company as yet.

    The team also uncovered an app added by HTC called androidserver.apk that is basically a remote access server that could allow third parties access to the phone. They say that, while the addition of the app "could end up being insignificant," it is still "very suspicious." Although the app isn't started by default, it isn't clear what or who can trigger it.

    While open source software, such as Android, has many advantages over a closed system, such as allowing greater creativity on the part of developers, the vulnerability the Android Police team claims to have uncovered highlights one of the major downsides of open source software. While users expect problems from sources in the darker corners of the Internet and are extra vigilant in looking out for anything that may compromise the security of their devices, the fact this problem comes from one of the biggest players in the Android space is a real concern.

    Hopefully, now that the problem has been brought to light, HTC will release an update to address it in quick fashion. Until then, Eckhart says the only way to patch the vulnerability is to root your phone, which can unfortunately void the warranty. If you do decide to go down the rooting path, Eckhart recommends the removal of HtcLoggers, which can be found at /system/app/HtcLoggers.apk.

    • Facebook
    • Twitter
    • Flipboard
    • LinkedIn
    7 comments
    Andbew
    Hi,
    How exactly is the inclusion of two CLOSED SOURCE software packages added to Android by HTC somehow an indictment of OPEN SOURCE software again?
    Great site but your logic in this piece makes no sense.
    If anything this is a reason for people to use Cyanogen, the fully opensource Android. There the open source allows everyone to watch everyone else versus being behind closed doors at HTC.
    Apple and Microsoft can inject items like this at their discretion and unlike on Android, few have the skills or interest to notice it.
    jimbo92107
    \"Hopefully, now that the problem has been brought to light, HTC will release an update to address it in quick fashion.\"
    Hope is not a plan. HTC needs to fix this right away, and keep its customers informed.
    alcalde
    \"... the vulnerability the Android Police team claims to have uncovered highlights one of the major downsides of open source software. \"
    The article nowhere makes a case that the open source nature of Android in any way caused this security breach. From what can be gathered from the article, HTC\'s logging tool is collecting the information and I assume other applications can access this log file and then send the data off the phone. This permissions failure could just as easily have occurred in closed-source iOS or WP7 (in fact, a bug in the WP7 camera app was transmitting GPS data to Microsoft without asking for permission and was just fixed with the latest update). It would seem that the open source nature of the software would make it *easier* for security teams to find vulnerabilities, as they can examine both the behavior of the system and the underlying code to quickly clarify what the phone is doing without extensive reverse engineering or guesswork.
    Page Schorer
    I agree with alcalde. It has nothing to do with open source and everything to do with stupidity.
    Timothy Rohde
    Could the author please clarify how this security issue is a consequence of open source software? This has nothing to do with what\'s downloaded! It\'s what HTC did to their phones. If they shipped them rooted this wouldn\'t even be a problem.
    \"While open source software, such as Android, has many advantages over a closed system, such as allowing greater creativity on the part of developers, the vulnerability the Android Police team claims to have uncovered highlights one of the major downsides of open source software. While users expect problems from sources in the darker corners of the Internet and are extra vigilant in looking out for anything that may compromise the security of their devices, the fact this problem comes from one of the biggest players in the Android space is a real concern.\"
    Adrien
    How is this a vulnerability?
    It\'s not clear from the article, but it sounds as though in order to suffer from this you\'d need to download some basically malware onto your phone and run it, so it can send the logs off somewhere.
    Talk about a media beat-up.
    Gadgeteer
    Adrien, that\'s exactly the definition of a \"vulnerability.\" And there\'s plenty of Android malware. Just Google \"Android malware\" and you\'ll see lots of lists. It isn\'t a stretch that someone could easily circulate something that can take advantage of this vulnerability.