‘Massive Security Vulnerability’ in HTC Android Phones Claimed

Security researchers say they’ve uncovered a flaw in several smartphone models produced by HTC that gives any application that has Internet access the keys to a trove of information on the phone, including e-mail addresses, GPS locations, phone numbers, and text message data.

Phone models claimed to be affected by the vulnerability are the EVO 3D, EVO 4G, Thunderbolt, and possibly HTC’s Sensation line.

The researchers, Trevor Eckhart, Artem Russakouskii, and Justin Case, say they informed HTC of the vulnerability on September 24, but after HTC failed to respond to their warning for five days, they went public with their knowledge on Friday.

The security gap in the HTC phones stems from modifications the company made in versions of the Android operating system in EVO and Thunderbolt models. Those changes add a suite of logging tools to the system. “If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in,” Russakouskii wrote yesterday at the Android Police website.

That’s not the case here, he notes. The modifications made to Android by HTC allow any application that you give permission to access the Internet from the phone access to a plethora of sensitive information on the device. What’s more, it also has permission to send the data that it finds wherever it wants on the Net without your knowledge.

“Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the [Android] Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of e-mails,” Russakouskii explains.

He compares the vulnerability to leaving the keys to your house under the welcome mat and not expecting anyone to find them.

Data that can be peeked at by any app with Internet access include:

• E-mail addresses
• Last known network and GPS locations.
• Phone numbers from phone logs.
• SMS data, including phone numbers and encoded text.
• System logs, which track everything your apps do, such as logging into secure locations.
• System information such as onboard memory, CPU data, running processes and list of installed apps, including permissions they use and your user IDs for them.

In addition to the logger suite, Russakouskii notes, HTC has further modified Android with the addition of something named androidvncserver.apk. While the addition of that app, which is designed to give third parties remote access to a phone, might end up being insignificant, he did find it “suspicious.” “The app doesn’t get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely?” he asks.

According to Eckhart, there’s no way at this time to patch the vulnerability without jailbreaking the phone, which, of course, will void the warranty. If you do hack the phone’s OS, you can remove HTC’s logger suite, htcloggers.apk, found in /system/app/.

This latest vulnerability exposes the problems that can occur in an open source environment like Android. While it allows phone makers and application developers to make creative changes to the basic system, it can also open the door to abuse of a phone owner’s data.

(See also “Keep Malware Off Your Android Phone: 5 Quick Tips.)

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.