Android Police just discovered that recent HTC Android phones such as the Thunderbolt, EVO 3D, the EVO 4G are vulnerable to a huge security hole that leaves emails, GPS locations, and SMS text wide open.
HTC had just updated the devices with a new logging tool, which apparently opened the security hole.
If you use an app on your HTC device that asks for permission to use the internet, you immediately become vulnerable to the app stealing these personal files, Android Police reports:
- the list of user accounts, including email addresses and sync status for each
- last known network and GPS locations and a limited previous history of locations
- phone numbers from the phone log
- SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Ordinarily, the android.permission.INTERNET permission would only give the app access to your internet connection, and not to your private files.
Currently, an update from HTC will be the only way to patch the giant hole, unless you decide to root your Android phone and manually remove the “APK” file logging your actions.
Rooting is probably not your best option though if you aren’t familiar with the rooting process. Until HTC releases an update for your phone, don’t download any nefarious looking apps—especially apps that look suspicious and have just been released.
For the complete report, or to learn which files to remove if you root your device, head over to Android Police.