“I am quite speechless right now,” Artem Russakovskii reports for Android Police. “Justin Case and I have spent all day together with Trevor Eckhart (you may remember him as TrevE of DamageControl and Virus ROMs) looking into Trev’s findings deep inside HTC’s latest software installed on such phones as EVO 3D, EVO 4G, Thunderbolt, and others.”
“These results are not pretty. In fact, they expose such ridiculously frivolous doings, which HTC has no one else to blame but itself,” Russakovskii reports. “In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users’ devices, easier remote analysis, corporate evilness – it doesn’t matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.”
“That is not the case,” Russakovskii reports.
What Trevor found is only the tip of the iceberg – we are all still digging deeper – but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:
• the list of user accounts, including email addresses and sync status for each
• last known network and GPS locations and a limited previous history of locations
• phone numbers from the phone log
• SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
• system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Read more in the full article here.
MacDailyNews Take: Android. “Open” in all the wrong ways.
[Thanks to MacDailyNews readers too numerous to mention individually for the heads up.]
Related articles:
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010
Will wonders never cease!
I know! That dude’s name is Justin Case FTW!
How can he be the cop for android and no have seen any of this until now?
Suddenly HTC changed things?
I don’t think this will be an issue for android users. They don’t have privacy and don’t care.
Especially Android/Windows users.
Exactly! This kind of thing only affects über users like Leo LaPorte. Most of them see their phone as a cool looking blackberry–with the same limited functionality–email and heh-heh…..telophony.
It’s not an issue because a) Android users don’t have credit cards, and b) it doesn’t change the face that they still hate Apple
😛
I’m speechless that there’s a person actually named “Justin Case.”
Related by marriage to Ida Know and N. E. Tyme. (I was going to do a “Seymor Butz”, but resisted…)
You Missed Harry Butts!
I heard Busta Nutt himself was pretty upset, though.
There was a WCW/WWE wrestler named Justin Credible. LOL
HTC should change their slogan from “Quietly brilliant” to “Quietly brilliant data mining and sharing”
That amazon kindle fire tablet will sell for less than half the price of an ipad. They say these amazon tablets will sell well like a fire sale. It also goes along with that fire theme that these amazon customers will get burnt with identity thefts. But I suppose the low price justifies the headache for most.
Also keep in mind that at $199 Amazon are selling the Fire AT A LOSS. Buying market share a la Microsoft (XBox, Zune…) is apparently the only way for lame copy cat companies to compete with Apple. 😛
ill have to pull down one of the new roms configured in this manner and have a look just out of curiosity.
HTC has arguably the nicest implementation of android with the Sense UI. What a way to destroy customer trust if all of this is being logged and sent anywhere on purpose, and even if accidental wow, what an epic mistake.
makes apples bug with iphones dumping location data in a file look like a walk in the park if it logs as deeply as being reported.
* posted from my HTC droid running a customized froyo rom i built myself *
Dude,
Your middle name has to be Geek.
The truth is this really isn’t THAT big of a deal.
Sure it logs most/all your critical data and leaves that open to 100,000 script kiddies…. But come on android is insecure as hell (from top to bottom) anyway. Anyone buying and android phone should be aware of the security problems (unless they live under a rock) so the only real news here is the bar has been lowered.
If you want a geek-toy to root and compile kernels for (which burns through batteries in a few hours) get a ‘roid.
On the other hand if you want a real (smart)phone you only have, at this point, the iPhone and the blackberry (and the later option might be disappearing quickly)
Being the innovator (pacesetter), working in secret over a longer development cycle, Apple can take the time needed to “get it right.” The copiers are aways in a rush, and take shortcuts.
I bet the PRESS will also will also be ‘speechless’ and once again give apple rivals a free pass.
If apple did a FRACTION of this it’ll Antennagate all over again and senators will be calling Cook to testify etc. …
All your base are belong to us!
So can we now call this the hemorrhoid?
Just a thought 😉
Good thought!
And people sued Apple for privacy issues associated with the software error of not flushing the cell tower info? This is much, much, much worse…
It’s not a bug, it’s a feature!
“That way lies madness….”
“Justin Case” is a perfect name for a security expert.
Inspector Harry “Snapper” Organs anyone?
Android – who needs windows when you don’t have walls.
Justin Case Android users don’t have a clue about their devices?? Maybe after this, some if them will purchase an Apple phone if they use a little common sense.
I glanced through the comments on the original site and it speaks volumes on how there is no Apple fans trolling there. We all know how their trolls often visit here with absolutely no good intent.
Two reasons:
1. Android fans tend to have this masochistic streak (why else would they be consciously getting an Android in the first place?). When they come here, they love getting beaten down with solid arguments.
2. Apple fans have more fulfilling lives. We come here in our free time because we like the technology that makes our lives better. We get our Apple news and exchange our opinions about our favourite brand. We are no masochists — we don’t need to have someone poop on us.
I can’t bring myself to care about Angroid or Windows users.
Ever.
What, 27,000 South Korean HTC users haven’t sued for collecting data without consent???
A mere 27,000? This lawsuit is going into the 100s of thousands, and HTC will lose its shirt.
And how much of our data bandwidth are we paying for to “provide” this data they shouldn’t be accessing? However small it might be, it all adds up. And YOU are paying for it.
HTC: How ‘quietly brilliant’ of you to screw over your customers. I’m going to enjoy watching this car wreck. 😆
Reading through the comments attached to the original article, it seems apparent to me, what has been said here numerous times before is true, that Android is used by a lot of basement dwellers. The way they talk makes my head hurt!
It’s HTC. it’s Android. What did you expect from a wannabe iPhone product. Only a fool would deploy this product for corporate or even personal use.
Those folks at HTC are sharp. They knew what they were doing. They wouldn’t even acknowledge it publicly until they had to. They were silent for five days when Eckhert called them on it. With the Chinese communist regime just a few miles away, this can be very suspicious. If they are at all connected with the communist regime – this is extremely dangerous. Most folks here may not realize the implications of that…I can’t really go into it here. Be aware of what really could be going on.