HTC is readying an urgent security update for some of its Android smartphones, in a bid to close a serious data-leaking vulnerability.
The security flaw, uncovered in late September by security researcher Trevor Eckhart, would allow a malicious third party to access data collected by logging tools HTC has built into handsets such as the Evo 3D, Evo 4G and Thunderbolt. Only phones running the stock version of HTC's Sense interface are affected — modified ROMs such as CyanogenMod are safe.
According to Android Police, which published Eckhart's findings after he failed to get a response from HTC, the data exposed by the vulnerability includes lists of user accounts, phone numbers that have been recently called, a limited GPS and network-derived history of recently-visited locations, encoded SMS data and system logs.
Other data is also exposed, such as information about installed apps, the file system, battery status and more. A malicious third-party app would only need to request access to the internet to get its hands on all this information.
"HTC takes claims related to the security of our products very seriously," the handset manufacturer said in a statement on Tuesday. "In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application."
While avoiding a confirmation or denial of Android Police's specific claims, HTC said a malware app exploiting the flaw "would potentially be acting in violation of civil and criminal laws".
HTC pointed out that there is no evidence the flaw has actually been exploited, but it was nonetheless "working very diligently to quickly release a security update that will resolve the issue on affected devices".
"Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it," HTC said. "We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources."
ZDNet UK has asked HTC whether it already passed the fix onto operators, but this information was not forthcoming.
While Android Police welcomed HTC's quick action, the publication expressed continued fears over the nature of the logging tools HTC has put on its handsets.
"I do have to wonder whether the patch will simply apply some sort of an authentication scheme to the service while letting it continue to collect the same kind of sensitive data to be potentially reported back to HTC or carriers," Android Police editor Artem Russakovskii wrote on Tuesday.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.