'Massive' security flaw in HTC Android phones

A “massive" security vulnerability in some HTC-branded smartphones running Google’s Android threatens to give away important information about their owners, researchers have found out. Researchers Trevor Eckhart, Artem Russakouskii, and Justin Case said they informed HTC of the vulnerability on September 24, but went public with their findings when it did not respond. “In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in. That is not the case," Russakouskii said in a post on the Android Police website. He said the phone models that may possibly be affected by the vulnerability include:

• EVO 4G
• EVO 3D
• Thunderbolt
• some Sensations

But Russakouskii said only stock “Sense" firmware is affected, and those running an AOSP-based ROM like CyanogenMod are safe. Such a flaw can give any application that can go online the access to information on the phone, including:

• the list of user accounts, including email addresses and sync status for each last known network and GPS locations and a limited previous history of locations
• phone numbers from the phone log
• SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
• system logs (both kernel/dmesg and app/logcat), which includes everything running apps do and is likely to include email addresses, phone numbers, and other private info

He also found the following data is also exposed:

• active notifications in the notification bar, including notification text
• build number, bootloader version, radio version, kernel version
• network info, including IP addresses
• full memory info
• CPU info
• file system info and free space on each partition
• running processes
• current snapshot/stacktrace of not only every running process but every running thread
• list of installed apps, including permissions used, user ids, versions, and more
• system properties/variables
• currently active broadcast listeners and history of past broadcasts received
• currently active content providers
• battery info and status, including charging/wake lock history

According to the researchers, the security gap stemmed from modifications HTC made in the Android operating system in EVO and Thunderbolt models. Russakouskii said that after HTC was contacted and failed to respond after five business days, they made their findings public. “In my experience, lighting fire under someone's ass in public makes things move a whole lot faster, which is why responsible disclosure is a norm in the security industry," he said. Russakouskii also noted HTC also decided to add an app called androidvncserver.apk to their Android OS installations - basically a remote access server. He said patching the vulnerability is not possible without either root or an update from HTC. "If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk)," he said. A separate article on PC World quoted Eckhart as saying there is no way at this time to patch the vulnerability without jailbreaking the phone. “This latest vulnerability exposes the problems that can occur in an open source environment like Android. While it allows phone makers and application developers to make creative changes to the basic system, it can also open the door to abuse of a phone owner’s data," it said. — TJD, GMA News