In association with heise online

03 October 2011, 09:39

Backdoor in HTC Android smartphones - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom Apps with minimal privileges can read system data on an HTC Android device
A version of Android that contains a proprietary HTC logging program is installed on several current HTC smartphones. The htclogger is designed to help developers with such tasks as tracking down bugs. However, the Android Police web site reports that the software also enables almost any installed software to access to a user's private data.

Apparently, all that's required for an app to obtain access is the android.permission.INTERNET privilege. Many programs possess this by default, for example if they require a web connection in order to display adverts. According to Android Police, this privilege also allows these apps to establish a connection with htclogger on a local port and use it to read a variety of data, including the latest network and GPS location data, phone numbers from the phone log, SMS data and system logs.

The hackers said that the hole can be found in the Evo3D, Evo4G and Thunderbolt models, and that other models such as the Sensation could also be affected. They have asked the owners of these models for assistance and provided software for testing for the problem.

Update: HTC has now confirmed the security hole. In a statement, the company says that it "is working very diligently to quickly release a security update that will resolve the issue on affected devices." Once completed and tested by carriers, the patch will be sent out to customers via an over-the-air (OTA) update.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit