01
Oct
image
Last Updated: January 17th, 2012

I am quite speechless right now. Justin Case and I have spent all day together with Trevor Eckhart (you may remember him as TrevE of DamageControl and Virus ROMs) looking into Trev's findings deep inside HTC's latest software installed on such phones as EVO 3D, EVO 4G, Thunderbolt, and others.

These results are not pretty. In fact, they expose such ridiculously frivolous doings, which HTC has no one else to blame but itself, that the data-leaking Skype vulnerability Justin found earlier this year pales in comparison. Without further ado, let me break things down.

The Vulnerability

Update 10/4/11: HTC posted a public response promising a patch.

In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.

That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails.

But that's not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):

  • active notifications in the notification bar, including notification text
  • build number, bootloader version, radio version, kernel version
  • network info, including IP addresses
  • full memory info
  • CPU info
  • file system info and free space on each partition
  • running processes
  • current snapshot/stacktrace of not only every running process but every running thread
  • list of installed apps, including permissions used, user ids, versions, and more
  • system properties/variables
  • currently active broadcast listeners and history of past broadcasts received
  • currently active content providers
  • battery info and status, including charging/wake lock history
  • and more

Let me put it another way. By using only the INTERNET permission, any app can also gain at least the following:

ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
BATTERY_STATS Allows an application to collect battery statistics
DUMP Allows an application to retrieve state dump information from system services.
GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
READ_LOGS Allows an application to read the low-level system log files.
READ_SYNC_SETTINGS Allows applications to read the sync settings
READ_SYNC_STATS Allows applications to read the sync stats

Theoretically, it may be possible to clone a device using only a small subset of the information leaked here.

I'd like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door. For a more technical explanation, see the section below.

Additionally, and the implications of this could end up being insignificant, yet still very suspicious, HTC also decided to add an app called androidvncserver.apk to their Android OS installations. If you're not familiar with the definition of VNC, it is basically a remote access server. On the EVO 3D, it was present from the start and updated in the latest OTA. The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely? I'm sure we'll know soon enough - HTC, care to tell us what it's doing here?

Technical Details

In addition to Carrier IQ (CIQ) that was planted by HTC/Sprint and prompted all kinds of questions a while ago, HTC also included another app called HtcLoggers.apk. This app is capable of collecting all kinds of data, as I mentioned above, and then... provide it to anyone who asks for it by opening a local port. Yup, not just HTC, but anyone who connects to it, which happens to be any app with the INTERNET permission. Ironically, because a given app has the INTERNET permission, it can also send all the data off to a remote server, killing 2 birds with one stone permission.

In fact, HtcLogger has a whole interface which accepts a variety of commands (such as the handy :help: that shows all available commands). Oh yeah - and no login/password are required to access said interface.

Furthermore, it's worth noting that HtcLogger tries to use root to dump even more data, such as WiMax state, and may attempt to run something called htcserviced - at least this code is present in the source:

/system/xbin/su 0 /data/data/com.htc.loggers/bin/htcserviced

HtcLoggers is only one of the services that is collecting data, and we haven't even gotten to the bottom of what else it can do, let alone what the other services are capable of doing. But hey - I think you'll agree that this is already more than enough.

wm_10-1-2011 9-50-42 PM

Proof Of Concept App

In order to help showcase his findings, TrevE created an open-sourced POC (proof of concept) of a simple app that requests a single INTERNET permission, then shows that it can gain access to all the data I mentioned above. I ran the app on an unrooted EVO 3D - see the screenshots below or try it out yourself.

There is also a video walkthrough below the screenshots, shot by Trevor himself.

Proof of concept source and apk:

wm_2011-10-01_10-31-48 wm_2011-10-01_10-32-09 wm_2011-10-01_10-32-25

wm_2011-10-01_10-33-17 wm_2011-10-01_10-36-16 wm_2011-10-01_10-40-23

Patching The Vulnerability

... is not possible without either root or an update from HTC. If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).

Stay safe and don't download suspicious apps. Of course, even quality-looking apps can silently capture and send off this data, but the chance of that is lower.

Affected Phones

Note: Only stock Sense firmware is affected - if you're running an AOSP-based ROM like CyanogenMod, you are safe.

  • EVO 4G
  • EVO 3D
  • Thunderbolt
  • EVO Shift 4G? (thanks, pm)
  • MyTouch 4G Slide? (thanks, Michael)
  • the upcoming Vigor? (thanks, bjn714)
  • some Sensations? (thanks, Nick)
  • View 4G? (thanks, Pat)
  • the upcoming Kingdom? (thanks, Pat)
  • most likely others - we haven't verified them yet, but you can help us by downloading the proof of concept above and running the APK

HTC's Response

After finding the vulnerability, Trevor, with xda member Egzthunder1's help, contacted HTC on September 24th and received no real response for five business days, after which Trevor released this information to the public (as per RF full disclosure Policy). In my experience, lighting fire under someone's ass in public makes things move a whole lot faster, which is why responsible disclosure is a norm in the security industry. (This is where we come in.)

As far as we know, HTC is now looking into the issue, but no statement has been issued yet.

HTC, you got yourself into this mess, and it's now up to you to climb out of the hole as fast as possible, in your own interest.

The ball is in your court.

Credit

Huge thank you to Trevor Eckhart who found the vulnerability and Justin Case for working with us today digging deeper.

Update: Another contributor, Egzthunder1 of xda, who helped submit the issue to HTC, was pointed out to us on 10/5/11. Just to be clear - this person's involvement was not known to us at the time of publication, and we were working only with the main researcher - TrevE. You can get more information about xda's public accusation and our response here.

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • Tom. Hato

    Good work Trevor Eckhart, your brains are where it is supposed to be and not in the sack.

    HTC should now provide patch or replace their android phone where further android updates are not compatible.

  • Virtually_clueless

    I ran the program and just got the message

    "Unexpected exception.........Connection refused"

    Sorry for being a dum-ass but am I supposed to edit the Logctl Port number (set at zero), because I can't!

    HTC Legend, Android 2.2

  • Ron

    same here... "Unexpected exception.........Connection refused"

    but the logctl port is "0" and i can't change it.

    stock htc sensation with vodafone branding - android 2.3.4

  • ralz

    HTC Desire S/Telekom branded (Germany)
    Android: 2.3.3
    Sense: 2.1
    Build-/Software number: 1.47.111.3

    POC App responds with connection refused exception on 127.0.0.1:65511

    No HtcLoggers.apk present in /system/app

  • john blogs

    Trevor Eckhart tried to blackmail HTC by asking for a flyer in return for silence.

  • robry

    my gmail was accessed this morning, and I use a very secure password that was generated just for gmail. I *highly* doubt I was compromised any other way. If you haven't already, remove HTCloggers ASAP and change your google/gmail passwords. Also use the 2-step authentication that google offers (google authenticator app) to help protect yourselves. This is outrageous of HTC.

    • http://www.AndroidPolice.com Artem Russakovskii

      I don't think this vulnerability had anything to do with it, it doesn't reveal passwords as far as we know, just monitors certain information. There are also no known malicious apps (yet) that even target this vulnerability.

  • Virtually_clueless

    Artem - you're globally famous now!!!

    http://www.bbc.co.uk/news/technology-15171106

  • HolyMoly

    If HTC has any connection whatsoever with the communist regime on the mainland - China, this is extremely serious.

    • Briac Pollier

      For your information HTC is a (very good) Taiwanese company, a democratic country which has no link to the communist regime. A big amount of the the computers come from there (Asus, Acer, MSI). Taiwan has an army, jet fighters an navy boats to defend itself from a Chinese invasion which is something they don't want, they like freedom. Taiwan is allied to the US - and unofficially many other western countries. I love HTC phones and don't like hearing anybody is spying on me, but please don't confuse cats with cows. I've been to Taiwan, and to China, I can assure you they are extremely different.

  • Wolfgang

    thanks for warning, my sensation seems to be "ok"...

  • Serge

    Hi.
    I've read this article and I have used barcode to scan the barcode above and download zipped file that I unzipped somewhere on the phone (sorry, I am not a phone nerd). I have European HTC Desire HD, and I am totally clueless what to do to test for this vulnerability, the video above is not helpful at all.
    Thanks
    S

  • Serge

    Delete my comment, I installed the app and have no HTCLogger as far as I can see. Also get "Connection Refused" exception and port 0.

  • vcdragoon

    I was wondering if there was a way to log if an app makes the android.permission.Internet request. I guess I am wondering if it's possible to find out how to avoid those apps.

  • john

    HTC DHD (german) is with revolution os is affected (based on stock firmware)

  • Tastymix

    Is there anyone who have tested HTC Sensation XE for this?

    I'm from Denmark BTW, if it has any influence.. I noticed in some of the comments that it's mainly US HTC, which suffers from this?

  • http://www.michaelmanganuk.com Mike Mangan

    Does anyone know if the HTC Desire Z is affected or the HTC Wildfire. UK based.

    I stopped all internet access on myself and g/f phones when I read about this a week or so ago hoping HTC would release an immediate update but seen nothing as yet.

    Anyone know if we are safe?

  • Michael the D-ark Angel

    Hi just to clarify, I have an EVO 3D with
    Android 2.3.4, Sense 3.0, Software Number 1.22.720.1. Location: Chennai, India

    Strange as it seems, I did have a hack issue with my Yahoo Account (the first in a long time) after doing the email settings on the phone just as someone mentioned, yeah, the usual buy viagra to all the contacts in my list! Unsure if this is just coincidence. The thing is I did run the Logging Danger App, but it came with the same action of opening to "Unexpected exception: /127.0.0.1:0 - Connection refused"

    Does this mean the device is secure and does not fall under the vulnerability claimed to affect EVO 3D with the stock Sense 3.0? I did not root my mobile and as you can see it is in stock settings. I do see HTCLoggers.apk and HTCFeedback.apk in the list. Thing is there are lot of apps that will collect data per se and when looking through the list of apps with ES File Explorer it kinda makes it more obvious. Thing is I am sure we cannot know who/which app is using the info for bad purposes and more over every darned app seems to ask for some permission or the other to be ALWAYS allowed.

    For example, just off the hat, people would look at some of the following and start getting paranoid, including me: Account Sync Manager.apk,
    AppSharing.apk
    CheckinProvider.apk
    FriendStream.apk
    Google Feedback.apk
    HTCFeedback.apk
    Sync3DWidget.apk
    TrendsWidget.apk
    ContactsProvider.apk
    CSPeopleSyncService.apk

    and a couple more if you know what I mean. I do not recall having received any software updates after purchasing the phone so is this setup okay to live with or is it a must to get rid of the Sense and HTC apps(and even HTC Hub, HTC Likes) and get it rooted in the name of security? So far my only experience with android is, I have installed apps on another android device (Samsung Galaxy Pro) and have not yet got started on the EVO 3D.

    The info I get is based off sites and as of now when the reviews of so called root and roms show that some of the original functions(like 3D camera) stop working, Don't wanna name them outright, but I think some experts on the matter can enlighten me some. I just don't feel comfortable enough in crippling a phone off its original appeal which some are satisfied with for obvious reasons. Thanks and Regards.

  • Bob van Dijk

    november 16th, 2011: No detailled information yet from HTC, no patch available. So no information since October 4th. Recent reply from HTC: "when available, patch will be announced on their website". Great.....

  • The Batman

    Scare tactics ftw? No htclogger on stock ROM of my rooted white EVO 3d, hboot v1.5, 2.3.4 gingerbread

  • MOS

    You people do not realize that these logging apps aren't in just one app, one phone, or even one manufacturer. Multiple apps on the marketplace have loggers, and other brands have them too. It's an at&t requirement for these phones to have CarrierIQ.

    • http://bidcandy.com/ Bidding Sites

       Yup, nothing new here... Even if you turn off the logging from all local systems (phones, servers etc.) -- the traffic is still logged at the network access points. A whistleblower told about this on slashdot that the NSA/CIA is monitoring all

  • bryan

    Do u know if a rooted user is vulnerable

    • MOS

      A root user is vulnerable if using a stock rom on an infected phone.

      Sent from my HTC Inspire 4G

  • frank

    i have a android and places and navigation are appearing on my phone that have nothing to do with advertising,i do not have a htc account for mobile access,can my phone be hacked or compromised,how do i find out if it is?these places and locations i have no idea why they show up.

    • MOS

      ANYONE is vunerable to a determined hacker. And lately it is impossible not to be tracked.

  • Invar

    Watch a short video about Top 10 vulnerable applications on your network:
    http://rocketviews.com/watch?416aO901fuUagic

  • Billykrystal245

    I have found another security flaw from within the sensation 4g phone application talked to htc customer service the agent I spoke to told me that it is my own fault his name was William htc just doesn't care about there customers what so ever don't ever expect a fix from htc I will post the vulnerabitys once I do a lil more testing on vulnerability . Hopefully htc gets sued for there poor quality of work on there devices I will never buy a htc device ever again I was a design aged HTC fan never bought a device but htc now will never buy one ever again they just lost a dedicated customer

  • Rizwan Anwar

    Hi.. The bluetooth of my HTC Desire HD will not allow voice dialing, there is no app which provides a get around since voice dialing from the phone requires you the hold the phone or be completely quiet. Another problem is the time lag which gives the caller a confusing echo, so hands free is definitely out.

  • fedup

    How can you prove who is hacking your Android? My HTC hero is hacked and has been for about five months. I know who is doing it, and sadly they do nothing but monitor my every move,whether it be cyber or earthly. Im over it. Im not big on tattling, I usually handle things myself, but this is out of control. and I am not going to get in trouble for their malicious behavior.I have stat trace screen shots,will that help?
    thanks guyz- I a appreciate any input

  • dsff4fwef

    This is what happens when we allows a Chinese company to make our electronics' OS. It is just the beginning...

  • Ahmad Majed

    Hello Dear, Hope this letter finds you well, Reference to my latest research, I couldnt find till now an application can helps me knowing the exact person or any info about, whom was spying my cell phone htc 1x. Kindly I need a support for this issue, specially i am looking to know who is spying my phone, not looking for an application that makes me spy others phone. Regards