Android Police has discovered an unsettling, and potentially dangerous, security flaw in some pre-installed software that HTC has begun installing on several of their handsets. Devices from this year, including the HTC Sensation and EVO 3D, are loaded with a silent logging app that records your email accounts, SMS data and numbers, phone logs and GPS location data. This information is supposed to be shared with HTC on a need-only basis, and anonymously, never exposing specific names.
However, the logging software has a huge hole that allows other apps to gain access to that information, and more, even if they don’t have explicit permission to do so. See, when you install and Android app it always tells you what permissions it has access to. The main one, android.permission.INTERNET, allows an app to connect to the internet, and potentially share ads with you. However, this logger software, which can only be removed by rooting the phone, is vulnerable to malicious apps snooping around your phone for more information.
HTC has responded by saying they’re working quickly to resolve the issue, but the vulnerability has been there for months, and it’s hard to know if they just didn’t know about it or if they did and hoped no one would find out. Either way, this is further proof that OEMs installing software behind your back can lead to potentially damaging, and reputation-tarnishing, situations.
Let’s hope HTC steps up and fixes the patch ASAP. Check out the source link for a much more detailed explanation of the vulnerability.
Source: Android Police