HTC Investigates Reports of ‘Massive’ Vulnerability in Its Android Phones

Revelations by researchers over the weekend that several HTC Android phone models contain a “massive security vulnerability” are being examined by the mobile handset maker.

In a statement released to the media, HTC said, “HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible.”

“We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken,” it added.

The vulnerability affects HTC EVO 3D, EVO 4G, Thunderbolt and possibly its Sensation line, according to researchers, Trevor Eckhart, Artem Russakouskii and Justin Case.

Eckhart, who initially discovered the security hole, attributed it to modifications HTC made to the version of Android used in those phone models. Those modifications allow any program on a phone with Internet access to have access to almost all data on the device.

The researchers alerted HTC to the vulnerability on September 24, but when they received no response from the company for five days, they went public with their discovery September 30.

One way to close the vulnerability is to delete a system file named htcloggers, but to do that, a user needs to jailbreak, or “root,” their phone, which could void its warranty. Short of that, the researchers recommended that users be careful about the apps they download until HTC fixes the problem.

That shouldn’t be too difficult, according to Rik Ferguson, director of security research and communications at Trend Micro. “It sounds like something very simple to patch,” he told the BBC.

“They didn’t anticipate that kind of information would be of interest,” he added. “It’s a lack of foresight rather than lax programming, I think. It should be something relatively easy to fix.”

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.