Skip to main content

Major Security Hole Discovered in HTC Android Phones

A major security hole found in some HTC Android phones which could give apps with Internet permissions to information like user’s location and their text messages. In fact, this could happen with any third-party application. Some of the devices in this category identified as of now include EVO 3D, 4G, Thunderbolt, EVO Shift 4G, MyTouch 4G Slide, etc. The list could increase on further research.

 

image

 

After a quite extensive research, Android Police has discovered a suite of logging tools called HTCLoggers which were added to some HTC devices during a recent software update. This HTCLoggers.apk has root-level access. Any app on affected devices that requests a single android.permission.INTERNET which is normal for any app that connects to Internet can get its hands on the following -

-the list of user accounts, including email addresses and sync status for each
-last known network and GPS locations and a limited previous history of locations
-phone numbers from the phone log
-SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
-system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

 

Even though there is no immediate fix for this security flaw, if your device is rooted, you can immediately delete Htcloggers.apk right away (you can find it at /system/app/HtcLoggers.apk).

Even though this is not the security vulnerability that is present in Android itself, but rather something that has been introduced by HTC team, this is serious issue. We have seen many instances in the past where Android devices are affected with malware apps, but this one is entirely different.

HTC has responded to this report - "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."

Proof of Concept for advanced Android users:

Labels:

Comments

  1. webhostingreviewOctober 4, 2011 at 5:21 PM

    I liked your article and your perspective,Sorry for my late response.I understand what you are saying.
    There's actually been a lot of progress in this posting, I think you're correct given the presentation this post.You have some good thoughts to add here.
    dedicated hosting reviews

    ReplyDelete
  2. Avinash KumpatiOctober 4, 2011 at 8:06 PM

    @webhostingreviw: Is there anything I can do for you?

    ReplyDelete

Post a Comment

Popular posts from this blog

Your Google Apps Account is Changing

Google is about to make more of its services available to organizations with Google Apps accounts. This is an early adopter phase, and all domains may not get this option to move to the new infrastructure. What this means for you: In addition to the core suite of messaging and collaboration applications, Google Apps users may now access many more Google services with their Google Apps accounts.     Those who are eligible for this early adoption, Google Apps administrator will be presented with the above banner to start with the migration. In your organization, you can transition selected pilot users and admins, or you can start the transition now for all your users. The transition for pilot users can be reverted if necessary. After successful transition, your users will now be able to use other Google popular products like AdSense, AdWords, Alerts, Analytics, Android, Blogger, Finance, Google Desktop, News, Orkut, Reader, Voice, YouTube (Full list here ). Als...
Post a Comment
Read more

How to Turn Your Android Phone into a Fully-Automated Superphone

What if your phone automatically went silent when you step into the movie theatre? Texted your significant other when you finished your long commute? Or automatically turned down the volume when a particularly loud friend called? It can; here's how. Android application Tasker gives you total rules-based automation for your Android phone. It's not free, but it offers a free 14-day trial download. Tasker can do nearly anything on your phone. It's mostly limited by your imagination. Here are some up-front ideas about neat automations that come to mind: • Set preferences for each application: Give the Kindle app a longer screen time-out. Make Maps or Foursquare automatically turn on GPS, and have a file browser launch when you trade out SD cards. Have your music and other audio apps lower the volume to 50 percent when you plug in headphones, so you never get a way-too-loud moment. • Time of day automation: Make your phone go into airplane mode overnight, but re-conne...
Post a Comment
Read more

Windows Phone 7.5 Tango Officially Renamed As ‘Refresh’

The next version of Microsoft’s Windows Phone operating system after Mango 7.1 is officially renamed as ‘Windows Phone 7.5 Refresh’ – according to the head of Windows Phone division for Microsoft Italy.     According to Italian version of the post , 7.5 Refresh update will mostly be an update to the minimum specs of the devices it’ll be able to run (minimum RAM requirements is dropped from 512 MB to 256 MB). Other updates which may include in this release are better media messaging, location awareness icon, export and manage contacts to SIM card. The next major update after ‘Refresh’ is called Windows Phone Apollo (probably Windows Phone 8) could certainly be an exciting release from Microsoft. This Apollo update may have BitLocker kind of support on mobile devices, multi-core support. [ via ] [ Image ]
Post a Comment
Read more