Security vulnerabilities in mobile devices are not exactly new but it seems that as the years went by, this particular issue has become more of a pressing concern. When it comes to being hit by security vulnerabilities, it seems that devices that run under Android currently have it the worst. And now another security vulnerability have been discovered that affects various HTC devices such as the EVO 3D, EVO 4G, Thunderbolt and many others.
This was all thanks to the detective work of the folks over at Android Police who have been digging around HTC's latest software update for their devices. And the results that they have found are massive and certainly not what you would call pretty. As it turns out with the most recent update, HTC introduced a number of logging tools that collected a whole slew of information from the users' devices. No reason have been provided on why the company installed such information collectors on their device but if they are doing it they should see to it that only privileged services or the user itself can access those confidential information.
But unfortunately, that seems to be not the case here. As it turned out any app on the affected services that requests for the collected information will be able to get their hands on it with ease. According to Android Police, the sort of information that was collected are as follows:
- The list of user accounts, including email addresses and sync status for each
- Last known network and GPS locations and a limited previous history of locations
- Phone numbers from the phone log
- SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
- System logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Traditionally, applications will only be able to access the information that was granted with the permissions they request. So if an app requests for the high scores from a certain device, only the information about the scores will be accessible and not the user's email addresses or phone logs. And that is not all, after checking out the log file from the affected device, it was discovered that other sensitive information were also exposed such as the active notifications in the notification bar, network information and IP addresses, running processes, file system info, CPU info, list of installed apps and a whole lot more.
To be clear, this is not a security risk that was present inside the devices itself but it was introduced by HTC through an update. So if you haven’t updated to the latest software, then you are most likely safe from this particular vulnerability. For the meantime, users can implement a temporary fix but it is only possible if the device is already rooted. Users who are running third-party ROMs such as the CyanogenMod are also not affected.
Patching is not possible without either root or an update from HTC. If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).
Android Police is advising the users of affected HTC devices to not download any suspicious app from the Market as they can easily capture the collected data. HTC has already acknowledged the vulnerability and has promised to issue a patch over-the-air in just a short while. [via AndroidPolice]Contact Us for News Tips, Corrections and Feedback