Researchers have found serious security problems with some HTC Android smartphones, which could allegedly give hackers your identity, location and who you've been talking with and texting.

They've posted their findings on Android Police about certain HTC phones (including the Evo 3D, Evo 4G and Thunderbolt) and a vulnerability built into them by a suite of logging tools that collects information about the user - an excessive amount that should be secured and isn't.

Android Police founder Artem Russakovskii, Android developer Justin Case and Trevor Eckhart (who found the security hole) put out the alarm over the weekend, which owners of the phone should take heed of ASAP. If you've downloaded any app that requires connection to the Internet (and we're guessing most of yours, as ours, does), that app can now acquire the following off your phone, with[out] your permission:
  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
That's a whole lot of information that could be accessible to unscrupulous sorts, those that could easily take advantage of such a windfall. All with a single Internet permission. According to Android Police, HTC has practically opened the door for information robbers and given them the run of the house. Your house.

To further make you feel more helpless than when you began reading this, Russakovskii and his cohorts also found an app called androidvncserver.apk that HTC added to its Android OS installations, which gives remote access to these HTC phones. Which means someone, somewhere, could take control of your phone right in front of your eyes.

Goto Android Police for the technical nitty gritty, including a proof of concept app developed by Eckhart that purports to show how this works, with screenshots.

But you can follow Eckhart along on this video to see how easy it is for information to flow from your phone to ... wherever HTC is storing it, and how easily it could get into other hands.


We've reached out to HTC and we'll update when and if we hear from them. (Android Police has already alerted HTC.)

For now, it doesn't look like there's much HTC phone owners can do, besides rooting the phone (which, if a user is pursuing, should also include immediate removal of Htcloggers (/system/app/HtcLoggers.apk). Android Police's advice falls in line with the usual security precautions: "Stay safe and don't download suspicious apps. Of course, even quality-looking apps can silently capture and send off this data, but the chance of that is lower."

Besides the HTC phones we've already mentioned, Android Police has heard of this issue affecting these phones: Evo Shift 4G, MyTouch 4G Slide, Sensation.