(LiveHacking.Com) – HTC recently updated the software on some of its Android based phones which introduced a suite of logging tools that collect information from the device including locations data and SMS usage. This software has been rolling out for popular phones like the EVO 4G, the EVO 3D and the Thunderbolt. According to a new report this log data is available to any application installed on the phone that is granted ‘Internet’ permission (which is just about every app).
Once an app with ‘Internet’ permission is installed it can access HTC’s logging data and read:
- the list of user accounts.
- the last known network and GPS locations along with a short history of previous locations.
- phone numbers from the phone log
- SMS data
The problem is with a preinstalled app called HtcLoggers.apk that collects all kinds of data and then acts as a server to any connection that opens the right port. Once connected the app serves up data via a command line interface that even has a handy ‘help’ command.
The vulnerability was found by Trevor Eckhart (AKA TrevE) who has created a proof of concept app and has released a YouTube video walkthrough.
According to the Android Police report:
After finding the vulnerability, Trevor contacted HTC on September 24th and received no real response for five business days, after which he released this information to the public.