Vulnerability Found in HTC Android Devices, Leaking Personal Data

Massive Security Vulnerability found in HTC Android Devices (EVO 3D, 4G, Thunderbolt, Others) Exposes Phone Numbers, GPS, SMS, Emails Addresses, and many more.

In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.

That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:-
  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails.
But that's not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):

  •     active notifications in the notification bar, including notification text
  •     build number, bootloader version, radio version, kernel version
  •     network info, including IP addresses
  •     full memory info
  •     CPU info
  •     file system info and free space on each partition
  •     running processes
  •     current snapshot/stacktrace of not only every running process but every running thread
  •     list of installed apps, including permissions used, user ids, versions, and more
  •     system properties/variables
  •     currently active broadcast listeners and history of past broadcasts             received
  •     currently active content providers
  •     battery info and status, including charging/wake lock history
  •     and more
Affected Phones:-
  •     EVO 4G
  •     EVO 3D
  •     Thunderbolt
  •     EVO Shift 4G?
  •     MyTouch 4G Slide?
  •     the upcoming Vigor?
  •     some Sensations?
  •     View 4G?
  •     the upcoming Kingdom?

Note: Only stock Sense firmware is affected - if you're running an AOSP-based ROM like CyanogenMod, you are safe.

Here is Video to Show you  The HTCLoggers.apk Vulnerability:-

HTC's Response:-
After finding the vulnerability, Trevor contacted HTC on September 24th and received no real response for five business days, after which he released this information to the public (as per RF full disclosure Policy). In my experience, lighting fire under someone's ass in public makes things move a whole lot faster, which is why responsible disclosure is a norm in the security industry. (This is where we come in.)
As far as we know, HTC is now looking into the issue, but no statement has been issued yet. HTC, you got yourself into this mess, and it's now up to you to climb out of the hole as fast as possible, in your own interest. The ball is in your court.

-News Source (Android Police)


Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH

Categories: ,
Related Posts Plugin for WordPress, Blogger...