Owners of Android based HTC devices may be at risk following allegations that the latest software update allows any app to access personal user information including SMS data, system logs and GPS coordinates.
An analysis of the latest software installed on HTC devices including EVO 3D, EVO 4G and Thunderbolt, among others, undertaken by Android Police reveals the vulnerability.
The site claims that recent HTC updates have introduced a suite of logging tools to collect user information, but can be easily accessed by any app on the device that requests a single “android.permission.INTERNET”. Any app that accesses the internet or displays ads utilises this permission.
According to the site, the information accessible includes:
• the list of user accounts, including email addresses and sync status for each
• last known network and GPS locations and a limited previous history of locations
• phone numbers from the phone log
• SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
• system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Other information the website claims is accessible includes full memory information, running processes and full network information, including IP addresses.
As proof of concept a video of the exploit in action was uploaded to YouTube by Trevor Eckhart.
HTC is yet to release an official statement on the allegations.