Officials at mobile handset maker HTC said they are working on a patch to fix a problem with many of its Android devices that enables any app with Internet permissions to access a large cache of user and device data that a proprietary tool called HTCLoggers collects. The company said on Monday that it was looking into the claims.
The statement from HTC says that the company, which makes a variety of popular Android phones, including the EVO3D and EVO 4G, is testing a security update for the affected handsets right now and plans to push it to users as soon as it’s ready and stable enough to do so.
“HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources,” the company said in an email statement.
The company did not specify when the update would be available to customers.
On Monday news spread that several of the company’s Android phones contained a tool called HTCLoggers that is designed to help developers get detailed information about devices to help with troubleshooting. The tool collects a broad set of data about the device and its users, including email addresses, phone and SMS logs, GPS location and other information. That data is not meant for use by any other apps, but a report on the Android Police site showed that virtually any Android app that had the Internet permission on an affected device could access the data over a local port.
Many Android apps have the Internet permission by default and many users pay little attention to the specific permissions that an app requests in most cases. Even if they did, an app requesting permission to reach the Internet would not be likely to raise suspicion. There have been many incidents involving malicious apps planted in the Android Market, and security researchers also have discovered various vulnerabilities in the operating system that enable seemingly benign Android apps to take malicious actions without the user’s knowledge.
Jon Oberheide, a founder of Duo Security and security researcher who has identified several Android bugs, said that the privacy leak in the HTC phones is a serious problem but there are plenty of other methods for getting the same information from a device, including silently installing apps that request the same permissions or just rooting the device through privilege escalation.