HTC device owners beware! — in a recent update to some HTC phone, the company uploaded a suite of logging tools, dubbed HtcLoggers.apk, app, capable of collecting a huge amount of information including: location, user accounts, phone numbers, system logs and some SMS data, reports Android Police.
According to the report, “only phones with the stock Sense firmware are affected. Using a proof of concept app, the EVO 4G, EVO 3D, Thunderbolt, EVO Shift 4G, MyTouch 4G Slide and some Sensation models have been found vulnerable to data theft via the HtcLoggers app.”
By using the Android’s INTERNET permission, any app can gain access at least the following – and therefore copy off the device – any of that information. Ironically, because a given app has the INTERNET permission, it can also send all the data off to a remote server, killing 2 birds with one stone permission:
- ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
- ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
- ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
- ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
- BATTERY_STATS Allows an application to collect battery statistics
- DUMP Allows an application to retrieve state dump information from system services.
- GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
- GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
- GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
- READ_LOGS Allows an application to read the low-level system log files.
- READ_SYNC_SETTINGS Allows applications to read the sync settings
- READ_SYNC_STATS Allows applications to read the sync stats
In fact, HtcLogger has a whole interface which accepts a variety of commands (such as the handy :help: that shows all available commands), and aboe all “no login/password are required” to access said interface.
Furthermore, it’s worth noting that HtcLogger tries to use root to dump even more data, such as WiMax state, and may attempt to run something called htcserviced – at least this code is present in the source:
/system/xbin/su 0 /data/data/com.htc.loggers/bin/htcserviced
Engadget notes, HTC has issued a short statement, with a spokesperson saying that the company takes customers’ security ”very seriously” and will be working to provide an update as soon as they’ve verified the issue exists as reported.
Android Police notes, “patching is not possbile without having access to the root or an update from HTC. If you do root, it is recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).”
In order to help showcase the findings, TrevE created an open-sourced POC (proof of concept) of a simple app that requests a single INTERNET permission, then shows that it can gain access to all the data mentioned above.
There are screensots as well a video walkthrough below:
Here is PoC video demonstration: