Major security hole claimed in some HTC Android smartphones

Security researchers claim they've found an insecure logging program in some HTC Android phones that easily enables crackers to get full access to all your personal data.

What is it with companies wanting to know your every move anymore? Facebook's has been tracking you on Websites with Facebook Like buttons; Amazon, with its forthcoming Silk Web browser, will literally track your every move on the Web, and now HTC, in some of its Android smartphones, has planted a logging program that records everything you do with your phone. That's bad enough, but according to Android Police researchers, that snooping program has a giant security hole that will let crackers easy grab the information that it has been gathering.

According to the researchers, Trevor Eckhart, Artem Russakovskii, and Justin Case, in recent updates to some of its devices, HTC introduces a suite of logging tools that collected both system and personal information. That's invasive. What's even more annoying is that they also discovered HTC had added "an app called androidvncserver.apk to their Android OS installations". That's a Virtual Network Computing (VNC) remote access server. With it, HTC, in theory, could remotely control your phone.

But, wait, there's more! The real problem is that they've found that "any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on" this data.

What's in there? They've found that, among other information, the logging program gathers:

  • List of user accounts, including email addresses and sync status for each last known network and GPS locations and a limited previous history of locations
  • Phone numbers from the phone log
  • SMS data, including phone numbers and encoded text
  • System logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info.

To get access to all this data, all a cracker need do is to get you to download any program that connects to the Web with android.permission.INTERNET--which is pretty much all Android programs--with instructions to download the HTC data-logger's file on your phone's activity. With just that, in less than a minute, a malware program could forward all your phone's information to a snooper. They will then know who you are, where you're at and where you've been, who you've been calling and texting and on and on.

That's all there is to it. HTC did the hard work of gathering all your information. All a cracker has to do it is to harvest the results. There' no need for a password cracker or any other fanciness to use this security hole. It would take an experienced Android programmer less time to write the code to exploit this problem than it did for me to write this Reader Digest's description of the problem.

The HTC smartphone models that appear to be vulnerable are the EVO 3D, EVO 4G, Thunderbolt,and possibly HTC's Sensation phone line. After finding the vulnerability, the trio claim that Eckhart contacted HTC on September 24th and HTC didn't respond to them. So, after receiving no real response for five business days, they've decided to release news of the vulnerability to force HTC to fix the problem. HTC has yet to respond to these claims.

In the meantime, you should not install any remotely questionable new applications to your HTC smartphone. If you're comfortable getting down and dirty with your phone's firmware you may also want to consider dumping your phone's default HTC Android distro and replacing it with an Android Open Source Project (AOSP) firmware such as CyanogenMod.

Related Stories:

Amazon's Kindle Fire Silk browser has serious security concerns

Privacy groups ask FTC for Facebook investigation too

Facebook fixes cookie behavior after logging out

Hackers using QR codes to push Android malware