Massive HTC Android security flaw leaves security expert speechless

“I am quite speechless right now,” Artem Russakovskii reports for Android Police. “Justin Case and I have spent all day together with Trevor Eckhart (you may remember him as TrevE of DamageControl and Virus ROMs) looking into Trev’s findings deep inside HTC’s latest software installed on such phones as EVO 3D, EVO 4G, Thunderbolt, and others.”

“These results are not pretty. In fact, they expose such ridiculously frivolous doings, which HTC has no one else to blame but itself,” Russakovskii reports. “In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users’ devices, easier remote analysis, corporate evilness – it doesn’t matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.”

“That is not the case,” Russakovskii reports.

What Trevor found is only the tip of the iceberg – we are all still digging deeper – but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

• the list of user accounts, including email addresses and sync status for each
• last known network and GPS locations and a limited previous history of locations
• phone numbers from the phone log
• SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
• system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Read more in the full article here.

MacDailyNews Take: Android. “Open” in all the wrong ways.

[Thanks to MacDailyNews readers too numerous to mention individually for the heads up.]

Related articles:
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010

39 Comments

  1. And how much of our data bandwidth are we paying for to “provide” this data they shouldn’t be accessing? However small it might be, it all adds up. And YOU are paying for it.

  2. Reading through the comments attached to the original article, it seems apparent to me, what has been said here numerous times before is true, that Android is used by a lot of basement dwellers. The way they talk makes my head hurt!

  3. Those folks at HTC are sharp. They knew what they were doing. They wouldn’t even acknowledge it publicly until they had to. They were silent for five days when Eckhert called them on it. With the Chinese communist regime just a few miles away, this can be very suspicious. If they are at all connected with the communist regime – this is extremely dangerous. Most folks here may not realize the implications of that…I can’t really go into it here. Be aware of what really could be going on.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.