It’s bad news all around for users of various HTC Android smartphones, as the private data collected by the logging tools recently introduced by the company is also discovered to be available to any application that is granted permission to access the Internet – and most of them are.
The vulnerability was discovered by security researcher Trevor Eckhart and details of it shared first with HTC and then with Justin Case and Artem Russakovskii of Android Police.
According to them, any of these apps can access information such as the user accounts’ list, WiFi and GPS location data (including a partial history of it), phone numbers from the phone log, SMS data (phone numbers and encoded content), and various system logs and all they information they contain.
All of this is possible because of the htcLoggers app installed on HTC devices by the company via one of the most recent updates. The app is meant for logging in case of issues with the device, so that the company can access it and analyze it and offer a solution to the user.
Unfortunately, the information is not accessible only to HTC, but to all Internet-using apps. And, if a maliciously minded individual decides to exploit the vulnerability by crafting and pushing out such an app, the information can be also easily sent to a remote server to be perused with leisure.
As bad as all this sounds, there is possibly even worse news. According to the researchers’ analysis, the htcLoggers app is not the only one to have been pushed out by HTC. There is another one called androidvncserver.apk that worries them even more.
“If you’re not familiar with the definition of VNC, it is basically a remote access server,” they explain. “The app doesn’t get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely?”
Eckhart has created a proof of concept app that allowed him to demonstrate his claims, and it has so far proven successful on EVO 4G and 3G, and EVO Shift 4G and MyTouch 4G Slide devices. As the researchers have asked users to download the PoC app and try it out, it is only a matter of time until confirmation on the vulnerability of other devices is received.
Eckhart has informed HTC of the bug last week, and the company has finally acknowledged that fact and that they are looking into the matter, reports the BBC.
For the time being, users can do two things: either remove the htcloggers app if they have root access, and/or abstain form downloading additional apps until the bug is patched by HTC.