Vulnerability in HTC Android Devices Leaks Phone Numbers, Location, SMS, Emails Addresses, and More
According to a report from the AndroidPolice.com blog, Trevor Eckhart, Artem Russakovskii, and Justin Case have discovered that a recent update to HTC’s Sense UI software exposes a massive amount of personal information, thanks to the inclusion of new logging tools.
“Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails,” Russakovskii commented.
The data exposed by the new Sense UI software includes a list of user accounts, including email account details and sync stats, last known network and GPS data, as well as limited history for each location, phone numbers from the phone log, SMS data, and other system logs. In addition, other details can be obtained by accessing the logging tools pushed by the recent update.
According to Eckhart, the vulnerability can be leveraged by any application on affected devices that requests a single “android.permission.INTERNET”, and by using that permission alone, can access at least the following:
• ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
• ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
• ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
• ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
Advertisement. Scroll to continue reading.• BATTERY_STATS Allows an application to collect battery statistics
• DUMP Allows an application to retrieve state dump information from system services.
• GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
• GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
• GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
• READ_LOGS Allows an application to read the low-level system log files.
• READ_SYNC_SETTINGS Allows applications to read the sync settings
• READ_SYNC_STATS Allows applications to read the sync stats
The “INTERNET” permission is normal for any Android application that shows ads, or uses the device’s data access to submit data or record things like game scores. AndroidPolice.com has currently singled out the EVO 4G, EVO 3D, HTC Thunderbolt, and also noted that the EVO Shift 4G, and MyTouch 4G could be vulnerable. They say that, in theory, it may be possible to clone a device using just a small subset of the information leaked.
HTC is looking into the reports, and said it would provide more information when available. Otherwise, no other comments have been made.
Those wishing to test their devices can use a proof of concept tool released by AndroidPolice.com, which can be obtained here. There is no fix for this problem other than to root the device itself or wait for a patch from HTC.
Related Reading: Mitigation of Security Vulnerabilities on Android & Other Handset Platforms
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
