HTC’s custom Android ROM suffers from a major security vulnerability, feeding personal information into any application.
The latest version of HTC’s Android software keeps a log of email addresses, SMS data, location, phone numbers and system logs compliments to a suite of HTC logging tools installed on devices with the most recent version of HTC software. Alone, the collecting of such extensive and personal data has been the focal point of much debate, especially when the data can be accessed by any application.
Malicious applications that have Internet permissions will be able to tap into HTC user data and relay them to a server. Unlike Apple’s App store, Android does not vet every application uploaded. This allows for a malicious application to mask itself, say as a web browser, while stealing private date in the phone’s background.
Currently the two affected HTC models in Australia include the HTC Sensation, which is exclusive to Telstra, and the HTC EVO 3D, sold by both Telstra and Vodafone. The two carriers are aware of the issue and are awaiting word from HTC regarding an update.
“Once the investigation is complete we will assess the findings to ensure our customers are protected,” a Telstra spokesman said.
So far, HTC claims to take personal security very seriously, and addressed the SMH saying they “will provide an update as soon as we’re able to determine the accuracy of the claims and what steps, if any, need to be taken.”
Security experts Trevor Eckhart, Justin Case and Artem Russakovskii, who approached HTC 5 days earlier regarding the security issue with no response, exposed the vulnerability.
Their decision to release the exploit publicly will help consumers make security conscious decisions when buying a phone, but will also increase the number of malicious applications targeting the vulnerability now that it is widely known.