October 03, 2011: Massive HTC Android Vulnerability Leaves Security Expert "Speechless"
"I am quite speechless right now," begins Artem Russakovskii over at Android Police as he posts about a "massive" security flaw in HTC Android devices that allows malicious hackers to access phone numbers, GPS, SMS, email addresses and more.
The affected devices include EVO, 3D, 4G and Thunderbolt and apparently the flaw goes so deep that the guys at Android Police are discovering new issues with each new test or examination:
What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:
- the list of user accounts, including email addresses and sync status for each last known network and GPS locations and a limited previous history of locations
- phone numbers from the phone log
- SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info...
Even worse, for apps that only need one type of information, like the Internet permission, this vulnerability still grants access to other areas of the device (like location, logs, even battery stats, just to name a few).
Basically, it sounds as if you're using one of these HTC Android devices, you've been walking around with your fly undone and a big "eff me over" sign on your back.
The security research is ongoing and we'll update with any fixes or security patches that get issued. The only way this gets fixed is an update from HTC itself, says the guys at A.P. [Android Police]