A serious security flaw exists in several HTC-manufactured Android phones that enables virtually any app to access private data stored on the device, including call logs, text messages and email addresses.
Discovered by the security blog Android Police, the vulnerability allows apps that request Internet permission to access the phone’s last known GPS location, phone numbers, encoded text and systems logs, which could include email addresses, phone number and other private information.
This security slip-up could affect the millions of Android users who think nothing of downloading apps from the legitimate Android Market, many of which are configured by default to access the Internet.
“Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the Internet permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails,” Android Police’s Artem Russakovskii wrote.
The Android phones affected by this flaw include the HTC EVO 3D, the EVO 4G and the Thunderbolt. The list is expected to grow as Android Police continues to run a proof-of-concept exploit on more HTC devices, including the MyTouch 4G Slide and the EVO Shift 4G.
Russakovskii wrote that the phone flaw exists due to a suite of new logging tools HTC introduced to its devices during recent upgrades.
“The only reason the data is leaking left and right is because HTC set their snooping environment up this way,” he said. “It’s like leaving the keys under the mat and expecting nobody who finds them to unlock the door.”
To make matters worse, Android Police says smartphone owners are virtually helpless against this security bug, which can be fixed only by an update from HTC. As a temporary safety measure, Android Police wrote, “Stay safe and don’t download suspicious apps.“
In an email to SecurityNewsDaily, HTC wrote, “HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken.”
Article provided by SecurityNewsDaily, a sister site to Laptopmag.com.