A major security hole found in some HTC Android phones which could give apps with Internet permissions to information like user’s location and their text messages. In fact, this could happen with any third-party application. Some of the devices in this category identified as of now include EVO 3D, 4G, Thunderbolt, EVO Shift 4G, MyTouch 4G Slide, etc. The list could increase on further research.
After a quite extensive research, Android Police has discovered a suite of logging tools called HTCLoggers which were added to some HTC devices during a recent software update. This HTCLoggers.apk has root-level access. Any app on affected devices that requests a single android.permission.INTERNET which is normal for any app that connects to Internet can get its hands on the following –
-the list of user accounts, including email addresses and sync status for each
-last known network and GPS locations and a limited previous history of locations
-phone numbers from the phone log
-SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
-system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Even though there is no immediate fix for this security flaw, if your device is rooted, you can immediately delete Htcloggers.apk right away (you can find it at /system/app/HtcLoggers.apk).
Even though this is not the security vulnerability that is present in Android itself, but rather something that has been introduced by HTC team, this is serious issue. We have seen many instances in the past where Android devices are affected with malware apps, but this one is entirely different.
HTC has responded to this report – "HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken."
Proof of Concept for advanced Android users: