Awwww .. Spoilsports reveal the HTC Android pwnage

['nixer]

In news that will break every 'droid hacker's* heart, some spoilsports revealed a vulnerability in the HTC Android phones that hackers* (and security analysts) have known about for a while.

'Speechless': HTC Android phones expose users' locations, call history

The two models sold in Australia that are affected are the HTC Sensation and the HTC EVO 3D. Bonus points if you imported one of the other affected ones from overseas!

Luckily for the hackers* (and those that make money off protecting people from them), there are plenty more 'droid vulnerabilities to exploit.

Watch as large numbers of apps disappear quickly from the Marketplace. Hear the high-pitched cackling from the Apple fanbois. Smell the fear on cheating husbands/wives as their every movement, call, and text is revealed (yes, I do consult on Android security. Message me to catch the cheating bugger out secure your phone).

In other news, I have a wicked cool app for telling you exactly where the po-po is at any time, you just need to grant it internet access ...

Now, to the "Everything Android" thread.


* Yes, I know it's technically cracking. You are a geek.

[Ferris]

Ok, so *if* you download one of these malware programs, you can be compromised?

Hardly a newsflash. The signal to noise ratio of this thread is pretty low. The same sort of person to be affected by this hack is the same sort of person to have a pc crammed with malware and trojans.

[r0gue]

Pfft, they have said no apps are out there that can do it, and the hole will be fixed before any show up. Vulnerabilities can be found in the iPhone, and OSX too, it's not really that big a deal.
Meanwhile hows that iPhone 5, oh wait, iPhone 4s i mean.

[r0gue]

meh.

['nixer]

Ok, so *if* you download one of these malware programs, you can be compromised?

Hardly a newsflash. The signal to noise ratio of this thread is pretty low. The same sort of person to be affected by this hack is the same sort of person to have a pc crammed with malware and trojans.

I guess the trick is in knowing which are the malware apps and which aren't, since there's no Android AV that goes "ding, ding, ding! You're a winner". It's not like you need to create a 0-day exploit to bypass AV and siphon off info - that handy dandy "motorcycle lean angle" app will do just fine.

As to the import of the "revelation", we'll find out in due course. I readily admit it will be overhyped, over-analysed, and over-discussed.

The fix is trivial (delete HTCLoggers.apk from /system/app/.) Or you could do what the cool kids do and root and flash with CyanogenMod.

The relevance is the entertainment to be caused with how this is going to be used by Apple et al. and managed by Google and HTC. And in the confected outrage at the raping of civil liberties Google has potentially allowed.

Not in the "*shock* *horror* the haX0rs stole my identity and all my money!"

As to;

they have said no apps are out there that can do it

Any fucker who knows basic Android development could write one before lunchtime.


Hmm, by those seemingly anti-Apple statements, I wonder if the entertainment of the fanboi war has begun ... it has for me, anyway.


Edit: Ah, I see. You have taken me for an Apple fanboi. I have both Android and Apple phones (others even) for work. I couldn't give a shit which one I'm using at any one moment.

To clarify, I have no religious affiliation with either, and do not base my self worth on the correct choice of smartphone.

[Cap'n James086]

I wonder how many apps are designed to exploit this? I don't have any "best ever gun noises" or "arnold sound board" apps so I'm probably safe.

['nixer]

I wonder how many apps are designed to exploit this? I don't have any "best ever gun noises" or "arnold sound board" apps so I'm probably safe.

Well, any app that connects to the internet could be a possible candidate. Anything that requests android.permission.INTERNET also gets access to the list of user accounts, sync status for each known network and GPS locations, phone numbers, SMS data, and the kernel/dmest and app/logcat system logs (also boring stuff like battery status).

The problem is that HtcLoggers.apk (an official HTC app) is collecting all that data, and they fucked up by giving any app that has android.permission.INTERNET permissions permissions to send the data in the log files to a remote server.

Have you rooted your phone? If so, remove /system/app/HtcLoggers.apk and no stress.

Do you give a shit if the other data gets leaked to a third party?

This page contains an explanation of the problem and proof-of-concept code.

Massive Security Vulnerability In HTC Android Devices (EVO 3D, 4G, Thunderbolt, Others) Exposes Phone Numbers, GPS, SMS, Emails Addresses, Much More

I've tested the code on an EVO 3D and it works.

Edit: Now tested on a HTC Sensation and it works.

Have some trusted coder on here look at it for you - they'll tell you.

It is extremely simple code. I even knocked up my own, slightly improved, version.

Now that there is a POC out there, every script kiddie and his dawg will be trying to get it onto someone's phone.

And, for the record, I'm not a fanboi of any phone. I'm a coding/security geek.