HTC Android handset flaws exposing user data to hackers

Apps could be logging and sending personal information stored on smartphones

HTC smartphones have been found to contain vulnerabilities that could leave sensitive user data such as phone numbers and email addresses easily accessible to hackers.

The flaws are said to have been introduced by the latest version of the firm's Sense user interface. Affected phones so far include the EVO 4G, EVO 3G, EVO Shift 4G, Thunderbolt, MyTouch 4G Slide and some Sensation models, according to bug hunters at specialist blog Android Police.

Any applications that request the standard android.permission.internet will not only grant the app access to the web, but show a list of user accounts, last known network, GPS location and histories of phone numbers from the log.

"HTC introduced a suite of logging tools that collects information. Lots of information. LOTS. Whatever the reason - better understanding of problems on devices, easier remote analysis, corporate evilness - it doesn't matter," said Artem Russakovskii on the Android Police blog.

"If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in."

Russakovskii also noted that the only way to fix the problem is to root devices or wait for HTC to issue an update. Those who do root their devices are recommended to immediately remove Htcloggers, which are found in /system/app/HtcLoggers.apk.

Android Police has informed HTC about the problem, and the company is believed to be looking into it. V3 contacted the handset maker, but had not received a reply at the time of writing.