The folks over at Androidpolice.com discovered a major security exploit in a file called “HTCLoggers.apk” . This file could conceivably allow any app that has access to the internet to access all kinds of sensitive information to the phone owner. SMS records, last GPS location, apps accessed and more are all possible pieces of information that could be exploited if a malicious application were to find it’s way on to some devices.
More after the break
The devices in question are HTC Android devices running HTC’s proprietary Sense UI. Earlier this week HTC acknowledged the security risk but noted that in order for an app to access that information it would have to be a malicious app. Nonetheless the hole is there. HTC warned customers that while they prepare a patch for this issue, they should be vigilant in knowing where their apps are coming from.
As you can see from the images in this story Verizon Wireless has effectively told their employees to tell customers to do nothing until the patch is available. Unless you are within your return period Verizon Wireless will not allow you to change devices because of this issue.
HTC will provide a software update (MR3.5) with the HtcLoggers.apk removed. HTC is expected to make this update available to customers before the end of October.
Note: The issue contained in this bulletin does not warrant any type of CLNR replacement for customers experiencing this issue.
Verizon acknowledges that HTC is working on a patch but unfortunately we may not see it until the end of the month.