Major security hole claimed in some HTC Android smartphones

Major security hole claimed in some HTC Android smartphones

Summary: Security researchers claim they've found an insecure logging program in some HTC Android phones that easily enables crackers to get full access to all your personal data.

SHARE:

What is it with companies wanting to know your every move anymore? Facebook's has been tracking you on Websites with Facebook Like buttons; Amazon, with its forthcoming Silk Web browser, will literally track your every move on the Web, and now HTC, in some of its Android smartphones, has planted a logging program that records everything you do with your phone. That's bad enough, but according to Android Police researchers, that snooping program has a giant security hole that will let crackers easy grab the information that it has been gathering.

According to the researchers, Trevor Eckhart, Artem Russakovskii, and Justin Case, in recent updates to some of its devices, HTC introduces a suite of logging tools that collected both system and personal information. That's invasive. What's even more annoying is that they also discovered HTC had added "an app called androidvncserver.apk to their Android OS installations". That's a Virtual Network Computing (VNC) remote access server. With it, HTC, in theory, could remotely control your phone.

But, wait, there's more! The real problem is that they've found that "any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on" this data.

What's in there? They've found that, among other information, the logging program gathers:

  • List of user accounts, including email addresses and sync status for each last known network and GPS locations and a limited previous history of locations
  • Phone numbers from the phone log
  • SMS data, including phone numbers and encoded text
  • System logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info.

To get access to all this data, all a cracker need do is to get you to download any program that connects to the Web with android.permission.INTERNET--which is pretty much all Android programs--with instructions to download the HTC data-logger's file on your phone's activity. With just that, in less than a minute, a malware program could forward all your phone's information to a snooper. They will then know who you are, where you're at and where you've been, who you've been calling and texting and on and on.

That's all there is to it. HTC did the hard work of gathering all your information. All a cracker has to do it is to harvest the results. There' no need for a password cracker or any other fanciness to use this security hole. It would take an experienced Android programmer less time to write the code to exploit this problem than it did for me to write this Reader Digest's description of the problem.

The HTC smartphone models that appear to be vulnerable are the EVO 3D, EVO 4G, Thunderbolt,and possibly HTC's Sensation phone line. After finding the vulnerability, the trio claim that Eckhart contacted HTC on September 24th and HTC didn't respond to them. So, after receiving no real response for five business days, they've decided to release news of the vulnerability to force HTC to fix the problem. HTC has yet to respond to these claims.

In the meantime, you should not install any remotely questionable new applications to your HTC smartphone. If you're comfortable getting down and dirty with your phone's firmware you may also want to consider dumping your phone's default HTC Android distro and replacing it with an Android Open Source Project (AOSP) firmware such as CyanogenMod.

Related Stories:

Amazon's Kindle Fire Silk browser has serious security concerns

Privacy groups ask FTC for Facebook investigation too

Facebook fixes cookie behavior after logging out

Hackers using QR codes to push Android malware

Topics: Security, HTC, Mobility, Smartphones, Telcos

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

42 comments
Log in or register to join the discussion
  • Not sure if this fits the description of Security Hole

    It's more like an overt attempt to install a vncserver, log and track personal info.

    Has to be either a major fubar insofar as what reached RTM images or an attempt to snoop, albeit in plain sight.
    Dietrich T. Schmitz *Your
    • Spyware is common in Android

      @Dietrich T. Schmitz * Your Linux Advocate

      I know you will never acknowledge that fact, but Android is sypware. How many times have Android being caught capturing user data and sending it to a server?

      Remember when Google was actually taking REALTIME snapshots of what users were doing and sending a copy to their server? If it wasn't for the fact that some idiot forgot to delete the image after sending and the drives in Android phones were quickly filling with the images nobody would even know that Android was taking screenshots withoutu ser consent. Google's cheap excuse: a mistake on a test feature.

      Or when Android was "caught" login location information, and unlike Apple the information was actually sent to Google?

      I would not be surprise if this is not an HTC only issue. I bet that the feature is part of the OS.
      wackoae
      • RE: Major Security Hole claimed in some HTC Android Smartphones

        @wackoae: Android generally speaking is no more spyware than iOS is!
        bradavon
      • RE: Major Security Hole claimed in some HTC Android Smartphones

        @wackoae
        This issue belongs to HTC not Android.
        daikon
      • RE: Major Security Hole claimed in some HTC Android Smartphones

        @wackoae Spot on.

        @Bradavon - There are a lot more holes in Android than in iOS - and yes there is also more spyware on Android.

        @daikon - This IS indeed an HTC issue vs a generic Android issue but Android does have more than it's share of spyware related issues.
        athynz
      • Why Replace One Confusion with another?

        @wackoae All you are 'accomplishing' here is to replace one cvonfused stream of disinformation with another. No, Android is NOT 'spyware'. It is the rule, not the exception, that the data Android collects and sends back to Google is legitimate. The exception you described wasn't even on Android.
        mejohnsn
      • Keep telling yourself that

        @mejohnsn It is not like Google is currently recording your home WiFi setup (out of Android phones) or anything like that with the excuse that it will use it to map "hotspot" for other Android users ........
        wackoae
    • How is that NOT a Security HOle?

      @Dietrich T. Schmitz * Your Linux Advocate

      You express doubts that it is a security hole, but then what you describe is EXACTLY a security hole. Yes, it is 'fubar', too, but that is often the case with security holes.
      mejohnsn
    • RE: Major Security Hole claimed in some HTC Android Smartphones

      @Dietrich T. Schmitz * Your Linux Advocate
      Whoops! Stalkers, you got SERVED.
      great-ish-soul
  • RE: Major Security Hole claimed in some HTC Android Smartphones

    http://url7.me/kVh4
    llidhiehn
    • RE: Major Security Hole claimed in some HTC Android Smartphones

      @llidhiehn<br><br>Your URL has absolutely NOTHING to do with this article or any other, for that matter. I am not interested in your 'spamming', nor do I care about the products. Please, go elsewhere to do your business.
      MmeMoxie
  • RE: Major Security Hole claimed in some HTC Android Smartphones

    Which European models are affected? All those with the exception of the Sensation are North American only models (there's no 4G in Europe for starters).

    What about The Desire? A very popular European model.
    bradavon
    • As far as I've read, the Sensation is the only European model effected....

      @bradavon

      ...so it's possibly anything runnign HTC Sense v3?
      DevJonny
      • RE: Major Security Hole claimed in some HTC Android Smartphones

        @DevJonny

        The Evo 4G runs an earlier version of Sense.
        dsf3g
    • RE: Major Security Hole claimed in some HTC Android Smartphones

      @bradavon

      Evo 3D
      bannedagain
  • This sounds familiar...

    I actually have an HTC Desire S. I've been tracking the development of the htcsense.com site, kind of web/cloud service with which you could track your phone, erase data and eventually block it in case of loss/theft. A vnc server installed could be of use for htc for this purpose, but obviously, also serves to gather your data!! so, I think htc owes us an explanation.
    victor.rossetti@...
  • What a joke

    Consumers deserve what they get when they value flash and fluff over proper security and due diligence. Google needs to pull control back and lock down Android.

    Any corporate IT group supporting Android should have their head examined.
    MobileAdmin
    • your mistaken assumption is -

      @MobileAdmin
      Google cares. No, Google does not care and never has.
      Cynical99
  • Not a security hole at all - Outright attempt to steal data

    It appears more of an outright attempt to steal personal data. After all, gathering the date indicates an intent to retrieve and use the data.

    Nice open source world you have out there. Doesn't look any different from the proprietary world of Microsoft.
    Cynical99
  • Not a security hole at all - Outright attempt to steal data

    It appears more of an outright attempt to steal personal data. After all, gathering the date indicates an intent to retrieve and use the data.

    Nice open source world you have out there. Doesn't look any different from the proprietary world of Microsoft.
    Cynical99