Huge security vulnerability found in HTC EVO devices
In the past, G&E has pointed out some flaws in the software that HTC provides on the EVO line of devices. We've told you about the suspicious program malware, Carrier IQ, that is included with all HTC EVOs by default. The concerns over Carrier IQ are still present but now we have a new concern called HTCLoggers.
This may seem like a harmless .apk nestled in your /system/app folder; however, Trevor Eckhart (of Virus ROMs) has uncovered a scary vulnerability of this app. Keep reading for the full details and to see Eckhart's proof of concept app that shows what this vulnerability could lead to.
Here's the information at risk:
- the list of user accounts, including email addresses and sync status for each
- last known network and GPS locations and a limited previous history of locations
- phone numbers from the phone log
- SMS data, including phone numbers and encoded text
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Even more info collected by HTCLoggers can be intercepted by any app that has an android.permission.INTERNET permission. That means any game that posts your high scores or any app that displays ads can access this information.
This seems highly unlikely, right?
Well, that's where Eckhart's proof of concept app comes in (link to app here). This bad boy has a single INTERNET permission located inside it, and guess what it finds. Yep, all of that important information we thought it would find.
In the video above, Eckhart is able to access his GPS location and his ESN without any special permissions. He explicitly states that his app works in the foreground, allowing users to see what information is being collected. However, it would take "two seconds" to make this happen in the background and be sent to a web server for misuse.
I may not be the first, but I think it is time to call out HTC for being reckless with their data collecting. Not only is HTC over-collecting data that they probably don't need, but they are also making it very easy for almost any app to collect that same information. Hell, who knows what apps may already be stealing this information!
There are two real questions here. What is HTC going to do about this? And how do I get this app off of my EVO?
Question one better be answered soon. This is class action lawsuit worthy, HTC! We at G&E love the EVO, but we sure as hell don't like seeing our data go to whoever feels like having it.
Question two is not as easy as hitting "uninstall," but you can protect yourself. It requires three steps. Beginners may want to check out our glossary.
- Gain S-OFF (i.e., make your EVO rootable) for your HTC EVO 3D or HTC EVO 4G.
- Flash a ROM that does not contain Carrier IQ or HTCLoggers. Here's a tutorial for those who need it.
- Enjoy the safe world.
Picking a ROM is a tough decision, but ou can always check the forums for the ROMs you are looking at because CIQ removal is usually located in the original post.
What if you like stock and root scares you? Root shouldn't scare you – there are many reasons to root (including not having your data stolen). Two OG EVO ROMs that are very close to stock, Swagged Out Stock and Smooth 'N' Sexy, do not include this malware. There are also many choices out there for Sense 2.1/3.0 users. ROMs for the EVO 3D have started to remove this app as well, and of course, AOSP ROMs like CyanogenMod and MIUI do not include this app.
Alternatively, after gaining S-OFF on your EVO, you could grab Superuser from the Android Market. Then you can use an app like Root Explorer (or the free ES File Explorer) to remove HTCLoggers manually (the file is located in the /system/app folder of your phone's internal memory, not your SD card). However, this will not remove Carrier IQ, which still sends private data to HTC.
Whichever method you choose, you will be safe from the HTCLoggers vulnerability. Above is a screenshot from my HTC EVO 4G running Swagged Out Stock. As you can see, there is no com.htc.loggers folder in /data/data. This means that there are no logs that apps can access and, thus, my EVO is safe.
Is your EVO safe?
Also, be sure to head over to /system/lib to remove the libhtc_loggers.so lib file. Also, go to /data/data and delete the com.htc.loggers folder. If you go to /data/data and do not see any files, your root file explorer app does not have root permissions. Fix that ;)
[Android Police]
