HTC Says Fix to Privacy Vulnerability in Android Devices Coming

HTC officials have promised to fix a privacy hole affecting its Android devices that could expose sensitive user information to attackers.

At issue is HTCLoggers, which the mobile handset maker HTC recently introduced to customers as part of a suite of logging tools that gather a mountain of data about the device and the user. With HTCLoggers, this data runs the gamut from SMS data to GPS location to much, much more – making it a particularly juicy target for attackers.

“HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices,” a spokesperson told SecurityWeek. “Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.”

For an attack to work, the malicious application just needs to connect to the HTC logging service listening on a local network port on the device, explained Nicholas Percoco, senior vice president and head of Trustwave SpiderLabs. After issuing pre-defined commands to Htcloggers.apk, the malware could access and export data from the HTC logs to an external system under the control of the attacker without the user’s knowledge.

Successful exploitation requires a bit of a boost from the user – the malware would need to be granted Internet access. But here’s the rub: applications requesting Internet permissions are not exactly rare.

“Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails,” according to the AndroidPolice.com blog.

The Android permissions are general, Percoco explained, and there are no permissions that can be defined by the developer or the user that are more granular.

“The Focus Stealing Vulnerability we disclosed at DEF CON 19 also needs Internet access, but also Phone State, which is also used by many apps, and is seemingly benign until someone with malicious intent builds an app that can take advantage of it,” he said.

HTC said that it has not learned of any customers being affected by the vulnerability so far. While a patch is on the way, concerned users can root their phones and delete the logging application (it can be found at /system/app/HtcLoggers.apk). Only devices such as EVO 4G and EVO 3D that have the stock Sense firmware installed are affected by the situation.