Massive HTC Android security flaw leaves security expert speechless

“I am quite speechless right now,” Artem Russakovskii reports for Android Police. “Justin Case and I have spent all day together with Trevor Eckhart (you may remember him as TrevE of DamageControl and Virus ROMs) looking into Trev’s findings deep inside HTC’s latest software installed on such phones as EVO 3D, EVO 4G, Thunderbolt, and others.”

“These results are not pretty. In fact, they expose such ridiculously frivolous doings, which HTC has no one else to blame but itself,” Russakovskii reports. “In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users’ devices, easier remote analysis, corporate evilness – it doesn’t matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.”

“That is not the case,” Russakovskii reports.

What Trevor found is only the tip of the iceberg – we are all still digging deeper – but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

• the list of user accounts, including email addresses and sync status for each
• last known network and GPS locations and a limited previous history of locations
• phone numbers from the phone log
• SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
• system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Read more in the full article here.

MacDailyNews Take: Android. “Open” in all the wrong ways.

[Thanks to MacDailyNews readers too numerous to mention individually for the heads up.]

Related articles:
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010

39 Comments

  1. Justin Case Android users don’t have a clue about their devices?? Maybe after this, some if them will purchase an Apple phone if they use a little common sense.

    1. Two reasons:

      1. Android fans tend to have this masochistic streak (why else would they be consciously getting an Android in the first place?). When they come here, they love getting beaten down with solid arguments.

      2. Apple fans have more fulfilling lives. We come here in our free time because we like the technology that makes our lives better. We get our Apple news and exchange our opinions about our favourite brand. We are no masochists — we don’t need to have someone poop on us.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.