Massive HTC Android security flaw leaves security expert speechless

“I am quite speechless right now,” Artem Russakovskii reports for Android Police. “Justin Case and I have spent all day together with Trevor Eckhart (you may remember him as TrevE of DamageControl and Virus ROMs) looking into Trev’s findings deep inside HTC’s latest software installed on such phones as EVO 3D, EVO 4G, Thunderbolt, and others.”

“These results are not pretty. In fact, they expose such ridiculously frivolous doings, which HTC has no one else to blame but itself,” Russakovskii reports. “In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users’ devices, easier remote analysis, corporate evilness – it doesn’t matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.”

“That is not the case,” Russakovskii reports.

What Trevor found is only the tip of the iceberg – we are all still digging deeper – but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

• the list of user accounts, including email addresses and sync status for each
• last known network and GPS locations and a limited previous history of locations
• phone numbers from the phone log
• SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
• system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Read more in the full article here.

MacDailyNews Take: Android. “Open” in all the wrong ways.

[Thanks to MacDailyNews readers too numerous to mention individually for the heads up.]

Related articles:
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010

39 Comments

    1. Exactly! This kind of thing only affects über users like Leo LaPorte. Most of them see their phone as a cool looking blackberry–with the same limited functionality–email and heh-heh…..telophony.

  1. That amazon kindle fire tablet will sell for less than half the price of an ipad. They say these amazon tablets will sell well like a fire sale. It also goes along with that fire theme that these amazon customers will get burnt with identity thefts. But I suppose the low price justifies the headache for most.

    1. Also keep in mind that at $199 Amazon are selling the Fire AT A LOSS. Buying market share a la Microsoft (XBox, Zune…) is apparently the only way for lame copy cat companies to compete with Apple. 😛

  2. ill have to pull down one of the new roms configured in this manner and have a look just out of curiosity.

    HTC has arguably the nicest implementation of android with the Sense UI. What a way to destroy customer trust if all of this is being logged and sent anywhere on purpose, and even if accidental wow, what an epic mistake.

    makes apples bug with iphones dumping location data in a file look like a walk in the park if it logs as deeply as being reported.

    * posted from my HTC droid running a customized froyo rom i built myself *

  3. The truth is this really isn’t THAT big of a deal.
    Sure it logs most/all your critical data and leaves that open to 100,000 script kiddies…. But come on android is insecure as hell (from top to bottom) anyway. Anyone buying and android phone should be aware of the security problems (unless they live under a rock) so the only real news here is the bar has been lowered.
    If you want a geek-toy to root and compile kernels for (which burns through batteries in a few hours) get a ‘roid.
    On the other hand if you want a real (smart)phone you only have, at this point, the iPhone and the blackberry (and the later option might be disappearing quickly)

  4. Being the innovator (pacesetter), working in secret over a longer development cycle, Apple can take the time needed to “get it right.” The copiers are aways in a rush, and take shortcuts.

  5. I bet the PRESS will also will also be ‘speechless’ and once again give apple rivals a free pass.

    If apple did a FRACTION of this it’ll Antennagate all over again and senators will be calling Cook to testify etc. …

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.