Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Security Vulnerabilities Exposed in HTC’s Android Devices

Vulnerability in HTC Android Devices Leaks Phone Numbers, Location, SMS, Emails Addresses, and More

Vulnerability in HTC Android Devices Leaks Phone Numbers, Location, SMS, Emails Addresses, and More

According to a report from the AndroidPolice.com blog, Trevor Eckhart, Artem Russakovskii, and Justin Case have discovered that a recent update to HTC’s Sense UI software exposes a massive amount of personal information, thanks to the inclusion of new logging tools.

HTC Android Vulnerability“Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails,” Russakovskii commented.

The data exposed by the new Sense UI software includes a list of user accounts, including email account details and sync stats, last known network and GPS data, as well as limited history for each location, phone numbers from the phone log, SMS data, and other system logs. In addition, other details can be obtained by accessing the logging tools pushed by the recent update.

According to Eckhart, the vulnerability can be leveraged by any application on affected devices that requests a single “android.permission.INTERNET”, and by using that permission alone, can access at least the following:

• ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location

• ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location

• 
ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands

• ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks

Advertisement. Scroll to continue reading.

• BATTERY_STATS Allows an application to collect battery statistics

• DUMP Allows an application to retrieve state dump information from system services.

• GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service

• GET_PACKAGE_SIZE Allows an application to find out the space used by any package.

• GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.

• READ_LOGS Allows an application to read the low-level system log files.

• READ_SYNC_SETTINGS Allows applications to read the sync settings

• READ_SYNC_STATS Allows applications to read the sync stats

The “INTERNET” permission is normal for any Android application that shows ads, or uses the device’s data access to submit data or record things like game scores. AndroidPolice.com has currently singled out the EVO 4G, EVO 3D, HTC Thunderbolt, and also noted that the EVO Shift 4G, and MyTouch 4G could be vulnerable. They say that, in theory, it may be possible to clone a device using just a small subset of the information leaked.

HTC is looking into the reports, and said it would provide more information when available. Otherwise, no other comments have been made.

Those wishing to test their devices can use a proof of concept tool released by AndroidPolice.com, which can be obtained here. There is no fix for this problem other than to root the device itself or wait for a patch from HTC.

Related Reading: Mitigation of Security Vulnerabilities on Android & Other Handset Platforms

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.