HTC is working with mobile carriers to push out over-the-air software security updates to fix a vulnerability in several of its Android smartphone models that could be exploited by a third-party to steal users’ personal information.
“While we have not learned of any customers being adversely affected to date, we would like to ensure all customers immediately accept, download and install the security update as soon as they see the notification on their phone,” HTC said in a statement sent to SCMagazineUS.com on Wednesday.
Sprint on Tuesday began pushing the updates to users of the affected HTC Android devices, including HTC EVO 4G, HTC EVO 3D, HTC EVO Shift 4G, HTC EVO Design 4G, HTC EVO View 4G and HTC Wildfire. Affected T-Mobile users are also receiving the updates.
The flaw, disclosed earlier this month by researcher Trevor Eckhart, could give any internet-connected application access to users’ personal data.
The bug stems from a recently added program, HTCLoggers.apk, which logs large amounts of information from the phones, according to Eckhart. The program enables any app that requests permission to connect to the web to easily access data that has been logged. This information includes user accounts, email addresses, GPS locations, SMS data, phone numbers and system logs.
In its statement, HTC advised customers to “use caution when downloading, using, installing and updating applications from untrusted sources.”