Shame on you, HTC

I love my HTC Thunderbolt. But I'm pretty upset to find this today:

That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

In a nutshell, this means that basically every app on my phone can get access to everything I do, every person I call, every website I visit, every text I send, and more. And since apps with this permission can access the internet (that's the permission they requested that gave them all these privileges), they can send any of that information to a remote server.

More findings:

But that's not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):

  • active notifications in the notification bar, including notification text
  • build number, bootloader version, radio version, kernel version
  • network info, including IP addresses
  • full memory info
  • CPU info
  • file system info and free space on each partition
  • running processes
  • current snapshot/stacktrace of not only every running process but every running thread
  • list of installed apps, including permissions used, user ids, versions, and more
  • system properties/variables
  • currently active broadcast listeners and history of past broadcasts received
  • currently active content providers
  • battery info and status, including charging/wake lock history
  • and more

The fix appears to be the removal of a particular application:

Patching the vulnerability is not possible without either root or an update from HTC. If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).

If you don't know how to do that, well, find someone who does.

Class-action, anyone?

 

Category: 

Add new comment