HTC Preps Emergency Patch For Android Phones

10 Companies Driving Mobile Security

HTC confirmed Tuesday third-party reports that a data-leakage vulnerability exists in some smartphone models that it manufactures, and said it's working on a fix. "In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application," said HTC in a statement.

"Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it," said HTC. According to the company, it's "working very diligently to quickly release a security update that will resolve the issue on affected devices."

The patch will address a vulnerability in the HTC Sense UI (user interface), which is HTC's customized skin that adds functionality on top of the vanilla Android operating system. The HTC Sense UI flaw is due to the presence of a file, HTCLogger.apk, that collects a variety of data points. The data appears to be collected for development, customer support, and troubleshooting purposes.

[The mobile security landscape is changing. Learn more: Mobile Security's Future: 4 Expert Predictions.]

But security researcher Trevor Eckhart discovered that any application with Internet access permission could access HTCLogger.apk. Accordingly, an attacker could create a rogue application to access the log file, obtaining everything from recently used phone numbers and email addresses, to SMS messages--encrypted, said Eckhart, but potentially able to be decrypted--and recent GPS coordinates.

It's unknown exactly how many HTC smartphones are affected. But numerous models, including the EVO, MyTouch, some models of Sensation, and ThunderBolt use the HTC Sense UI.

In its statement, HTC stressed that an attacker would have to create a malicious application to exploit the vulnerability, and thus recommended users beware using applications from untrusted sources, especially before a fix gets released. "So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability," said HTC.

HTC also noted that "a third-party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws." But that seems to miss the point: outlawing smartphone exploits hasn't curbed criminal outreach. Indeed, according to a study released in May 2011, the volume of malware targeting Android devices had increased by 400% since summer 2010. Meanwhile, security researchers expect the amount of malware seen by the end of 2011 to have doubled in quantity.

Two security researchers, writing in Android Police, had verified the HTC Sense UI vulnerability, and sounded an alarm over the "huge amount of data" being collected, noting that the text-only log file on an EVO 3D ran to 3.5 MB.

Android Police co-founder Artem Russakovskii said Tuesday that it remains unclear whether HTC's fix will paper over that data-collection practice. "While I applaud HTC's desire to fix the situation quickly, I do have to wonder whether the patch will simply apply some sort of an authentication scheme to the service while letting it continue collecting the same kind of sensitive data to be potentially reported back to HTC or carriers," he said. In addition, he said that HTC still hadn't addressed security researchers' concerns about other services running on its Android smartphones, such as the Android VNC server remote access tool.