Security Alert: Major vulnerability discovered affecting almost all HTC devices with HTCLoggers.apk

2
13

According to AndroidPolice and Trevor Eckhart’s findings almost all HTC devices are vulnerable to a newly discovered flaw, leaking not only your phone numbers but SMS and GPS data, Email address and much more.

Apparently this vulnerability affects smartphones such as EVO 3D, EVO Desing 4G, Thunderbolt and more. HTC recently issued a series of logging tools via firmware upgrades that is intended to collect information in a secure manner, unfortunately according to Trevor’s findings almost any app on affected devices that requests a single 
android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
  • active notifications in the notification bar, including notification text
  • build number, bootloader version, radio version, kernel version
  • network info, including IP addresses
  • full memory info
  • CPU info
  • file system info and free space on each partition
  • running processes
  • current snapshot/stacktrace of not only every running process but every running thread
  • list of installed apps, including permissions used, user ids, versions, and more
  • system properties/variables
  • currently active broadcast listeners and history of past broadcasts received
  • currently active content providers
  • battery info and status, including charging/wake lock history
  • and probably more

httpvh://youtu.be/YoTUkQ7SlNU

Here’s how to patch: requires a rooted device for patch or an update directly from HTC. If you do root or have a rooted device already, our recommendation is to  immediately remove the HTCLoggers (you can find it at /system/app/HtcLoggers.apk).

Stay safe and don’t download suspicious apps. Of course, even quality-looking apps can silently capture and send off this data, but the chance of that is lower.

Affected Devices

Note: Only stock Sense firmware is affected – if you’re running an AOSP-based ROM like CyanogenMod, you are safe.

  • EVO 4G
  • EVO 3D
  • Thunderbolt
  • most likely Sensation and others – we haven’t verified them yet, but you can help us by downloading the proof of concept above and running the APK

For more details about this vulnerability hit the jump to Android Police!

SHARE

2 COMMENTS

Leave a Reply to Florian Mihu Cancel reply

Please enter your comment!
Please enter your name here