The flaw, affecting several of its Android smartphone models, was discovered by researcher Trevor Eckhart, who alerted HTC about on Sept. 24 and received no response for five days before going public with the issue on Friday, according to the blog AndroidPolice, which first reported the news.
The bug stems from a recently added program, HTCLoggers.apk, which logs large amounts of information from the phones, according to Eckhart. The program enables any app that requests permission to connect to the web to easily access data that has been logged. This information includes user accounts, email addresses, GPS locations, SMS data, phone numbers and system logs.
The flaw affects HTC Android phones, including the EVO 3D, EVO 4G and Thunderbolt, among others, Eckhart said.
The problem stems from the fact that the HTCLoggers program essentially allows any app with internet access to bypass the many different permissions typically needed to access data on the phones – everything from GPS location data to system logs, he said. Instead, the logging program was set up to allow any app on the device with internet access to connect and obtain the information it has been gathering.
HTC has acknowledged the issue and promised a fix.
“HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible,” the company said in a statement sent to SCMagazineUS.com on Monday. “We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken.”
Eckhart created a proof-of-concept app that can be run on vulnerable phones to demonstrate the bug. He also created a YouTube video to show how the flaw could be exploited on a stock EVO 3D.