This weekend Androidpolice.com discovered a “massive” Android exploit created by some HTC Android phones and HTC’s Sense UI. According to Androidpolice, the hole allowed any app with access to the internet, access to a whole bunch more. SMS information, user information, last GPS coordinates and more sensitive information were discovered to be at risk by the reliable security team at Android Police.
HTC did take time over the weekend to reassure customers that they were addressing the issues and if it was found to be valid they would act swiftly. That’s exactly what they did.
More after the break
“In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers’ data, there is a vulnerability that could potentially be exploited by a malicious third-party application,” said HTC in a prepared statement.
HTC went on to say they are working on a patch and will quickly test it with their carrier partners and roll it out to phones that are at risk to this security threat. HTC has discovered the same flaw that androidpolice.com have discovered within a file in HTC’s Sense UI. The file called HTCLogger.apk, logs a variety of personal data points and collects them, presumably for development, customer support, and trouble shooting.
Security analyst Trevor Eckhart along with Androidpolice.com’s Justin Case and founder Artem Russakovskii worked all weekend to vet this story and discover the root of the issue. They discovered that any app with access to the internet had access to this HTCLogger.apk. HTC contends that someone would need to release a malicious app into the Android Market to take advantage of this exploit and as far as they knew no one had done this yet.
While we are awaiting the patch HTC recommends only downloading apps from trusted sources.
Russakovskii told Information Week “While I applaud HTC’s desire to fix the situation quickly, I do have to wonder whether the patch will simply apply some sort of an authentication scheme to the service while letting it continue collecting the same kind of sensitive data to be potentially reported back to HTC or carriers,”
It’s unclear exactly when the patch will be ready so if you have an HTC Android phone running Sense UI you should be careful downloading apps from sources you don’t know. The exploit is open to the HTC Evo, Evo 3D, Thunderbolt and other HTC devices running Sense.