So, in current updates to some of its devices, HTC presents a suite of classification tools that calm info. Whatsoever the motive was, whether aimed at improved sympathetic miseries on users’ devices, informal remote analysis, business evilness – it doesn’t matter. If you, such as a company, plant these info gatherers on a device, you improved be DAMN certain the info they gather is held and just presented to advantaged services before the user, after opting in.
What Trevor originates is just the tip of the iceberg – we are altogether still excavating deeper but presently various app on precious devices that requests a singleandroid.permission.INTERNET can get its hands over:
- the list of user accounts, including email addresses and sync status for each
- last known network and GPS locations and a limited previous history of locations
- phone numbers from the phone log
- SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
Usually, apps get access to just what is allowable by the permissions they request, hence when you install a simple, innocent-looking new game from the Market that just asks for the INTERNET permission, you don’t imagine it to read your phone log or list of emails. Now seeing at the vast sum of data (EVO 3D) that is susceptible to apps abusing this susceptibility all day, (granted, some of which may be already available to any app via the Android APIs):
- active notifications in the notification bar, including notification text
- build number, bootloader version, radio version, kernel version
- network info, including IP addresses
- full memory info
- CPU info
- file system info and free space on each partition
- running processes
- current snapshot/stacktrace of not only every running process but every running thread
- list of installed apps, including permissions used, user ids, versions, and more
- system properties/variables
- currently active broadcast listeners and history of past broadcasts received
- currently active content providers
- battery info and status, including charging/wake lock history
- and more
So, Let me place it another way. To use only the INTERNET permission, any app can also gain at leastthe following:
ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
BATTERY_STATS Allows an application to collect battery statistics
DUMP Allows an application to retrieve state dump information from system services.
GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
READ_LOGS Allows an application to read the low-level system log files.
READ_SYNC_SETTINGS Allows applications to read the sync settings
READ_SYNC_STATS Allows applications to read the sync stats
Moreover, and the insinuations of this could end up being irrelevant, yet still very doubtful, HTC likewise obvious to add an app named androidvncserver.apk to their Android OS installations. If you’re not acquainted by the meaning of VNC, it is essentially a remote access server. On the EVO 3D, it was current as of the start and updated in the latest OTA. The app doesn’t begin by default, what and who can activate it and possibly get access to your phone remotely.
Furthermore to Carrier IQ (CIQ) that was planted by HTC/Sprint and prompted all kinds of questions a while ago, HTC also included another app called HtcLoggers.apk. This app is skillful of collecting all kinds of data, as I stated above, and then. Deliver it to anyone who asks for it by opening a local port. Not only HTC, but anybody who connects to it, which occurs to be any app with the INTERNET permission. Ironically, because a given app has the INTERNET consent, it can also send all the data off to a remote server, killing 2 birds with one permission as well.
Actually, HtcLogger has a whole interface which accepts a diversity of commands (such as the handy:help: that shows all available commands). Oh yeah – and no login/password are required to access said interface.
Also, it’s worth noting that HtcLogger tries to use root to dump even more data, for example WiMax state, and may effort to run somewhat called htcserviced – in any case this code is current in the source:
/system/xbin/su 0 /data/data/com.htc.loggers/bin/htcserviced
HtcLoggers is just one of the services that is gathering data, and we haven’t even become to the bottom of what new it can do, let only what the other services are skilled of doing. But hey – I think you’ll settle that this is by now in excess of sufficient.
Proof of Concept App
So as to help showcase his answers, TrevE created an open-sourced POC of a meek app that requests a single INTERNET permission, and then displays that it can gain access to all the data I mentioned above. I ran the app on an unrooted EVO 3D – below you can see the screenshots…
There is likewise a video walkthrough below the screenshots, shot by Trevor himself.
Proof of idea source and apk:
Patching the Vulnerability
If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).
Visit safe and don’t download suspicious apps. Obviously, even quality-looking apps can silently capture and send off this data, but the chance of that is lower.
Memo: Just stock Sense firmware is affected – if you’re running an AOSP-based ROM like CyanogenMod, you are safe.
- EVO 4G
- EVO 3D
- EVO Shift 4G? (thanks, pm)
- MyTouch 4G Slide? (thanks, Michael)
- the upcoming Vigor? (thanks, bjn714)
- some Sensations? (thanks, Nick)
- View 4G? (thanks, Pat)
- the upcoming Kingdom? (thanks, Pat)
- most likely others – we haven’t verified them yet, but you can help us by downloading the proof of concept above and running the APK
Afterward finding the susceptibility, Trevor wrote HTC on September 24th and received no real reply on behalf of five business days, after which he released this info to the public (as per RF full disclosure Policy). Insofar as we know, HTC is now looking into the issue, but no statement has been issued yet.
HTC, you got yourself into this mess, and it’s now up to you to hike out of the hole as fast as likely, in your individual attention.
Via: Android Police
- Now HTC’s Software in Several of their Devices has a HUGE Security Hole
- Learn How-To Install Android 2.2 on HTC Aria
- ESET Mobile Security – Give a New Life to Your Android
- Something about HTC Sense 3.5 up And Continue to EVO 4G
- Learn How-To Install CyanogenMod 7 Android Gingerbread ROM on HTC Sensation