Do you own an EVO 4G, EVO 3D (really? why would you buy a 3D phone?), Thunderbolt, EVO SHift 4G, MyTouch 4G Slide…? Then you better read this.

A new vulnerability in HTC Android phones has been found. In a similar way as it happened with iPhones, the device is logging a whole bunch of data for no apparent or known reason. However, unlike it happened with the Apple devices, this log files are easily accessed by any app installed on the phones listed in the first paragraph. Long story short, if you have any of these phones and you give Internet connection permissions to an App (permission that most of the apps will require and request), that App has full access to (extracted from Android Police):

  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Despite HTC was informed of the vulnerability a couple of days before making it public, there has not been an official response yet. Meanwhile, if you have one of those phones, watch out what Apps you download.

The person who discovered the vulnerability has created a Proof of Concept app to show the kinds of data the phones are releasing:

Read more about this story here.

Advertisements