Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

HTC Says Fix to Privacy Vulnerability in Android Devices Coming

HTC officials have promised to fix a privacy hole affecting its Android devices that could expose sensitive user information to attackers.

HTC officials have promised to fix a privacy hole affecting its Android devices that could expose sensitive user information to attackers.

At issue is HTCLoggers, which the mobile handset maker HTC recently introduced to customers as part of a suite of logging tools that gather a mountain of data about the device and the user. With HTCLoggers, this data runs the gamut from SMS data to GPS location to much, much more – making it a particularly juicy target for attackers.

“HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices,” a spokesperson told SecurityWeek. “Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.”

For an attack to work, the malicious application just needs to connect to the HTC logging service listening on a local network port on the device, explained Nicholas Percoco, senior vice president and head of Trustwave SpiderLabs. After issuing pre-defined commands to Htcloggers.apk, the malware could access and export data from the HTC logs to an external system under the control of the attacker without the user’s knowledge.

Successful exploitation requires a bit of a boost from the user – the malware would need to be granted Internet access. But here’s the rub: applications requesting Internet permissions are not exactly rare.

“Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails,” according to the AndroidPolice.com blog.

The Android permissions are general, Percoco explained, and there are no permissions that can be defined by the developer or the user that are more granular.

“The Focus Stealing Vulnerability we disclosed at DEF CON 19 also needs Internet access, but also Phone State, which is also used by many apps, and is seemingly benign until someone with malicious intent builds an app that can take advantage of it,” he said.

HTC said that it has not learned of any customers being affected by the vulnerability so far. While a patch is on the way, concerned users can root their phones and delete the logging application (it can be found at /system/app/HtcLoggers.apk). Only devices such as EVO 4G and EVO 3D that have the stock Sense firmware installed are affected by the situation.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.