01
Oct
image
Last Updated: January 17th, 2012

I am quite speechless right now. Justin Case and I have spent all day together with Trevor Eckhart (you may remember him as TrevE of DamageControl and Virus ROMs) looking into Trev's findings deep inside HTC's latest software installed on such phones as EVO 3D, EVO 4G, Thunderbolt, and others.

These results are not pretty. In fact, they expose such ridiculously frivolous doings, which HTC has no one else to blame but itself, that the data-leaking Skype vulnerability Justin found earlier this year pales in comparison. Without further ado, let me break things down.

The Vulnerability

Update 10/4/11: HTC posted a public response promising a patch.

In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.

That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails.

But that's not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):

  • active notifications in the notification bar, including notification text
  • build number, bootloader version, radio version, kernel version
  • network info, including IP addresses
  • full memory info
  • CPU info
  • file system info and free space on each partition
  • running processes
  • current snapshot/stacktrace of not only every running process but every running thread
  • list of installed apps, including permissions used, user ids, versions, and more
  • system properties/variables
  • currently active broadcast listeners and history of past broadcasts received
  • currently active content providers
  • battery info and status, including charging/wake lock history
  • and more

Let me put it another way. By using only the INTERNET permission, any app can also gain at least the following:

ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
BATTERY_STATS Allows an application to collect battery statistics
DUMP Allows an application to retrieve state dump information from system services.
GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
READ_LOGS Allows an application to read the low-level system log files.
READ_SYNC_SETTINGS Allows applications to read the sync settings
READ_SYNC_STATS Allows applications to read the sync stats

Theoretically, it may be possible to clone a device using only a small subset of the information leaked here.

I'd like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door. For a more technical explanation, see the section below.

Additionally, and the implications of this could end up being insignificant, yet still very suspicious, HTC also decided to add an app called androidvncserver.apk to their Android OS installations. If you're not familiar with the definition of VNC, it is basically a remote access server. On the EVO 3D, it was present from the start and updated in the latest OTA. The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely? I'm sure we'll know soon enough - HTC, care to tell us what it's doing here?

Technical Details

In addition to Carrier IQ (CIQ) that was planted by HTC/Sprint and prompted all kinds of questions a while ago, HTC also included another app called HtcLoggers.apk. This app is capable of collecting all kinds of data, as I mentioned above, and then... provide it to anyone who asks for it by opening a local port. Yup, not just HTC, but anyone who connects to it, which happens to be any app with the INTERNET permission. Ironically, because a given app has the INTERNET permission, it can also send all the data off to a remote server, killing 2 birds with one stone permission.

In fact, HtcLogger has a whole interface which accepts a variety of commands (such as the handy :help: that shows all available commands). Oh yeah - and no login/password are required to access said interface.

Furthermore, it's worth noting that HtcLogger tries to use root to dump even more data, such as WiMax state, and may attempt to run something called htcserviced - at least this code is present in the source:

/system/xbin/su 0 /data/data/com.htc.loggers/bin/htcserviced

HtcLoggers is only one of the services that is collecting data, and we haven't even gotten to the bottom of what else it can do, let alone what the other services are capable of doing. But hey - I think you'll agree that this is already more than enough.

wm_10-1-2011 9-50-42 PM

Proof Of Concept App

In order to help showcase his findings, TrevE created an open-sourced POC (proof of concept) of a simple app that requests a single INTERNET permission, then shows that it can gain access to all the data I mentioned above. I ran the app on an unrooted EVO 3D - see the screenshots below or try it out yourself.

There is also a video walkthrough below the screenshots, shot by Trevor himself.

Proof of concept source and apk:

wm_2011-10-01_10-31-48 wm_2011-10-01_10-32-09 wm_2011-10-01_10-32-25

wm_2011-10-01_10-33-17 wm_2011-10-01_10-36-16 wm_2011-10-01_10-40-23

Patching The Vulnerability

... is not possible without either root or an update from HTC. If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).

Stay safe and don't download suspicious apps. Of course, even quality-looking apps can silently capture and send off this data, but the chance of that is lower.

Affected Phones

Note: Only stock Sense firmware is affected - if you're running an AOSP-based ROM like CyanogenMod, you are safe.

  • EVO 4G
  • EVO 3D
  • Thunderbolt
  • EVO Shift 4G? (thanks, pm)
  • MyTouch 4G Slide? (thanks, Michael)
  • the upcoming Vigor? (thanks, bjn714)
  • some Sensations? (thanks, Nick)
  • View 4G? (thanks, Pat)
  • the upcoming Kingdom? (thanks, Pat)
  • most likely others - we haven't verified them yet, but you can help us by downloading the proof of concept above and running the APK

HTC's Response

After finding the vulnerability, Trevor, with xda member Egzthunder1's help, contacted HTC on September 24th and received no real response for five business days, after which Trevor released this information to the public (as per RF full disclosure Policy). In my experience, lighting fire under someone's ass in public makes things move a whole lot faster, which is why responsible disclosure is a norm in the security industry. (This is where we come in.)

As far as we know, HTC is now looking into the issue, but no statement has been issued yet.

HTC, you got yourself into this mess, and it's now up to you to climb out of the hole as fast as possible, in your own interest.

The ball is in your court.

Credit

Huge thank you to Trevor Eckhart who found the vulnerability and Justin Case for working with us today digging deeper.

Update: Another contributor, Egzthunder1 of xda, who helped submit the issue to HTC, was pointed out to us on 10/5/11. Just to be clear - this person's involvement was not known to us at the time of publication, and we were working only with the main researcher - TrevE. You can get more information about xda's public accusation and our response here.

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • https://whattheserver.me spynga

    fucking craziness thanks HTC :(

    glad to see you got our back ..not!!!!

    • BobbyPhoenix

      I'm sure they do have our backs. After reading through the entire article I got confused a bit, and I'm not a dummy when it comes to stuff like this, so I'm not worried as it seems like not the average joe will get my stuff. Like any info anywhere it can be got if wanted. HTC will fix this soon enough. No worries.

      • http://twitter.com/#!/brandonjnunn bjn714

        Agreed with the exception of HTC not asking permission to log this data. I doubt they will remove the logging entirely, but more likely update it to a more secure method (and they better ask permission from now on). The fact that an app that is likely the framework for easier troubleshooting in the future is allowing any app that requests permission to access the internet to see its contents is bad. Given, that requires someone to know about the exploit and also to actually implement it in an app makes it not as likely to affect everyone, but the possibility still exists. That is why we have these permissions to control access to what we want to allow. If an app can circumvent these permissions, intentionally or unintentionally, that is not good.

      • Tony

        There is PLENTY to worry about.

        After the video explanation, even someone like me with only two weeks of android programming experience can coded something up to send out the data in question.

        This is serious stuff that needs to be patched asap. I'm glad my phone's rooted and all the unneeded htc apps are already uninstalled.

      • http://blog.automated.it ScaredyCat

        The problem is not so much how quickly HTC fix the problem, it's how glacially carriers provide updates. This hole will remain open on many phones for a very long time. Some just wont update.

        Any fix needs to be completely independent of the carriers - an updated apk, anything is needed right now.

    • trsix

      My shift running 2.2 has it version 1.6

  • http://twitter.com/vinterchaos Josh

    ...and this helped me make my decision between the Amaze 4g and the SGS2. TY for the info.

    • AndroidPoliceIsStupid

      This is ABSURD reasoning. WOW. You don't even have an Amaze to make such reasoning.

      • http://www.AndroidPolice.com Artem Russakovskii

        Nice name.

  • Drstrange462

    I'm rooted on a Thunderbolt running Liquid Thunder Bread 2.6. Where is the offending file I need to remove? Any help would be greatly appreciated.

    • http://www.AndroidPolice.com Artem Russakovskii

      /system/app/HtcLoggers.apk - updated the post with the location.

      • yahtzee50

        Do you have to be rooted to view the "system" directory ?

        • Balthazar B

          I believe so. And I recommend Root Explorer if you want ease of use.

      • Tom

        I have an EVO 4G.

        In addition to removing the HtcLoggers.apk do I need to either freeze or force remove the program (using Titanium Backup)? If so which one am I better off doing?

        Also, are there any log files or any other files that HtcLoggers created which should be deleted? If so please give me the locations of them.

  • Lewis

    Good thing im running CM7!

    • housry23

      My thoughts exactly. Although before CM7 came out on the EVO 3D, I am very suspicious of what was collected. This is truly a sad situation. Good thing I have an upgrade in exactly 30 days from today and hopefully will be using it on the Nexus Prime 4G(if Sprint gets it that is).

    • jacob

      Absolutely, I am running it on my tbolt, wow this is scary

  • garth

    ...so no root for my 2.3.3 EVO 4G, eh?

    • Nocturnhabeo

      What are you asking your question is unclear.

  • jmb98115

    On a G2 running 2.3.4, logctl port is 0 and not editable.

    Unexpected exception: /127.0.0.1:0 - Connection refused

    • jmb98115

      Oops, missed the important detail of Sense. Feel free to nuke my irrelevant comments. ;)

      • Xhunter187

        I am running BAMF SOAB rom on my HTC Thunderbolt which is a Sense 3.5 rom. I got the same respone as you. Does that mean I am safe?

    • SP

      i get the same message when i tried it on my g2.

      im rooted running stock 2.3.4 rom thats rooted. My best guess is that its not collecting anything, not sure. I did uninstall TellHTC with Titanium backup root required.

  • http://droidsamurai.blogspot.com PixelSlave

    Another reason why OEM should get the f*ck out of customizing the stock OS. They just make it more complicated to make Android devices secure.

  • Derek

    If running an AOSP custom ROM we don't have to bother with this, right?

    • http://www.AndroidPolice.com Artem Russakovskii

      Correct.

  • Nik

    Going to try the Proof of Concept App for rooted Nexus S; you sure that app itself isn't sending any data? :S

    Will post results in some time... Hope Samsung hasn't done something like this.

    • Jake

      You find anything of this kind on the nexus s.

  • Ishinder

    I am guessing it will only affect Sense Roms. Someone please confirm or deny. Thanks

    • Jake

      It says so right in the article.

  • Nocturnhabeo

    HOLY BALLS so glad I am running BAMF

    • K33

      I'm running BAMF Forever 1.0.6 and found this apk on my phone so I deleted it. You might want to check yours out too.

      • Guest

        Ya i found that too but ran the test before removing the apk and the test failed so i think we're safe.

  • Zani

    Shocking from HTC.... this could affect the sale of their future devices....has this test been performed on Samsung devices?

    • http://www.AndroidPolice.com Artem Russakovskii

      These are HTC apps - non-Sense non-HTC devices don't have this problem (unless they do something similar, but let that me a lesson to them).

    • AndroidPoliceIsStupid

      This does NOT affect every single HTC device. If you're gonna make assumptions read the ENTIRE article and EVERY comment.

  • jacob olness

    I hope I can trade in my thunderboltt because if this I run cm7 but I don't want to support a company with such a terrible track record.

  • Robert On Maui

    Unable to uninstall HTCLogger using Astro File Manager. My HTC Evo G seems to prohibit the uninstall inherently. Any suggestions?

    • http://www.AndroidPolice.com Artem Russakovskii

      If you're not rooted, you don't be able to uninstall it. If you are, then use Titanium Backup or a similar app, or just adb.

  • Ahmad Nadeem

    I had this shown when used every command in the dropbox
    "Unexpected exception: /127.0.0.1:65511 - Connection refused
    "

    • Ahmad Nadeem

      I have a HTC wildfire s with the stock rom.Does this mean my phone doesnt have this vunerability????

      Sorry for the extra post.....I accidentally tapped publish

      • http://www.AndroidPolice.com Artem Russakovskii

        Guess it's not vulnerable then, or runs it on a different port. Check for the apk presence.

        • Andrew

          same on my sensation

  • http://k0nane.info k0nane

    And the Android press STILL gets Carrier IQ's source and purpose wrong. It is installed at the behest of Sprint (and Boost) on ALL Android phones (since the days of the Moment at least). It was first completely deep-removed from the Epic 4G.

    • http://www.AndroidPolice.com Artem Russakovskii

      Added Sprint to the perpetrator list - the point with the situation at hand is it's HTC's code.

      • Shabbypenguin

        no this app is htc code, carrier IQ is completely different. just as the "rescue mode" put on the prevail/replenish is done by logmein

    • http://k0nane.info k0nane

      Thanks, that's a good start. A better writeup on specifically CIQ can be found here. http://forum.xda-developers.com/showpost.php?p=11763089

      Indeed, HTC's code is the issue here, but it's good to get all your facts right. ;-)

      Hi Shabby.

  • jay

    Could I use this to swap my tbolt for a different non HTC device? I do not feel like supporting a company with such terrible practices

  • jay

    I guess I mean would this be a good enough reason in VZW's eyes?

    • Balthazar B

      Hahahahahahahahahahahahahaha

      I strongly suspect not...

  • Dark_King

    I am not finding this file in Indian HTC Sensation.

    • AndroidPoliceIsStupid

      That's because it's not present on the HTC Sensation. This problem seems to be exclusive to Sprint and Verizon phones and apparently one Sensation and some myTouch 4G Slide.

      • http://llaisdy.wordpress.com Ivan

        Just checked on an unrooted recent HTC Sensation (UK, carrier O2). Installed your app and got Connection Refused.

        Thanks for this alert! I'll look into rooting and installing some sysadmin tools.

        Best wishes

        Ivan

  • wfrandy

    Interesting, fortunately for me, htclogger.apk is one of the first files I removed when clearing out the junk on my Evo 4g after I updated it. I just didn't like the sound of its name. And once removed it seemed to have no adverse effect on how the phone works.

  • Carey

    I can't find /system/app/htcloggers on my stock Telecom NZ HTC Sensation, and the POC app fails, so it appears that it isn't installed on this phone, at least in this incarnation.

  • andrew

    Not working on my sensation (1.45)

  • UsrX

    I can't find it on my HTC Sensation running 2.3.4. (1.45.401.2)

  • http://www.khaledscorner.com khaled

    Thanks for warning us.

  • http://www.syklopz.com su

    I knew something was up.
    One of my email accounts was hacked the other day.
    And I said to my self It's this damn EVO 3d
    No I have the proof.

    • Michael

      No, you don't have proof. You have a possible method that your email was hacked.

      But it is definitely a possibility and it's pretty shocking that HTC let this happen.

    • Paul

      There's a 98% chance it wasn't HTC. They're probably being evil and wanting to learn everything about their devices and users and maybe even for marketing and/or selling purposes, but hacking somebody's email account with this info is not in their interest at all.
      The only possibility is you recently installed a program from a malicious developer who knew about the vulnerability and used it to gain the info. Then there's a 'small' possibility that the info was used to hack your email. There's far more easier methods to hack ones email address though. I'd look into making sure you're using SSL/TLS in all communications, you rotate your password every 1-3 months, and you use a separate password for your email (not the same password across all the various accounts on various websites). Password reuse is very common.

  • Mark

    Just the other day, I was beating myself up for deciding to stick with stock. This article just made me realize why I will never get any custom skin. Not saying stock is invulnerable but at least I'm one step safer.

    • http://www.AndroidPolice.com Artem Russakovskii

      Are you talking about stock Android or stock manufacturer UI, such as Sense? The former would make a lot of... sense, but the latter not so much.

      • Mark

        Sorry, I meant stock Android.

        • http://twitter.com/#!/brandonjnunn bjn714

          If you are installing it yourself from a source like CM7, then that is good. Otherwise, even if it is vanilla Android, if it is put out by a carrier, they still have the potential to load other apps that can have security flaws on them. This is another reason I demand the freedom to unlock my phones and do what I want with them.

  • lard

    Android, what a fantastic 'Open System'.

    BTW, did Google close the Honeycomb source code to nip Amazon in the bud with it's fantastic 'Honeycomb' tablet killer?

    • Falken

      I bet Amazon was one of the reasons why they withheld the Honeycomb source code. But they're going to have to release ICS source eventually.

    • Flynny

      You cant blame this on Android. This is completly HTCs fault. And the common thought is that Honeycomb was a rush to get something out, and they dont want to release the source because Google doesnt want you to see how bad it is. Expect normal open source practises to resume with ICS.

    • Deltaechoe

      No, the reason honeycomb is closed source is because it is an unfinished version of android. It was rushed out the door and was pretty much just a pre cursor to ice cream sandwich

  • quietly monitoring

    HTC Incredible S (software version 2.30.405.1) bought in Europe:

    The HTCLogger.apk and HTCIQagent.apk are not present, the HTCfeedback.apk is.

    The loggingdangerapp doesn't reveal any information, because the connection on port 65511 is refused.

    So the Incredible S doesn't seem to have this vulnerability.

  • http://ocaoimh.ie/ Donncha O Caoimh

    A friend checked his HTC Desire and it's clear.

  • Ruben

    I have a T-MOBILE Sensation, and it had this logger apk. I am rooted running Android Revolution 3.6.1. Got rid of the apk. Thanks for the heads up. Gonna let rom dev know this, hopefully he can get rid of.

  • Tim K

    FYI, connection refused on Droid incredible, 2.2

  • http://www.dev4press.com/ Milan Petrovic

    I am glad that I decided to purchase Samsung Galaxy S2 instead of HTC EVO 3D. But, Android being open source, maybe some other phones will get expose. All Android manufacturers should take a look at all the custom programs they are running on their phones, this HTC blunder may repeat to some other companies.

    • Balthazar B

      The underlying issue is not necessarily limited to Android devices. Any manufacturer can effectively do the same with any mobile OS, I suspect. With some, it won't be so easy to detect and remediate, though.

      • http://twitter.com/#!/brandonjnunn bjn714

        Agreed. While I understand the logic behind including this for diagnostic reasons, the user should at the very least be required to OPT-IN and it seems that as related to the security hole, that is what security professionals and the community are for. Yes it should have been caught before release, but it is possible that HTC did not know that it could be manipulated in such a way.

        My bet is they will just update the methods used to be more secure, but I bet the logger stays there in future releases.

  • Janne

    Looks like a debugging and logging service. I bet this can also be used remotely. Did you try connecting from remote to the phone? If my assumption is correct the service will have all access :S

    • http://www.AndroidPolice.com Artem Russakovskii

      It's bound to 127.0.0.1, so it won't listen to connections on other interfaces.

  • jamie

    I've tried to get logging danger app from market and comes up that there's no app listed would like to no if desire s has this issue thanks for any help

    • Deltaechoe

      you would not be able to find this on the market, you will have to go to the link that is presented in this article to find it

  • Level 380

    Connection refused on desire hd (uk version running gingerbread)

  • sage

    Wow, this security problem plus the problem I've been having with the HTC sense restating on me every hour (it seams that way at least) makes me really think twice about who my next smart phone manufacturer is going to be. www

    • Mike Bee

      Think it needs to do that to keep the activation numbers up...

  • jamie

    Looked on astro file manger and no file with that name so I gather its not on desire s

  • Mikeyy

    Matter is serious, but...

    Is that guy realllyyyyyyyy called Just-in Case!? I re-read it 4 times just to be sure. :D

    • http://www.AndroidPolice.com Artem Russakovskii

      Is your name really Mikeyy? HOW CAN WE BE SURE?!

  • http://www.jimsurles.com Jim Surles

    Checked the wife's (stock) htc mt4g.. doesn't seem to work. Not listening on port 65511, and no /system/app/HtcLoggers.apk.

  • Ikit

    HTC Inspire, Rooted running CoreDroid 8.1 ( a Sense ROM)
    Getting the following after installing and launching the app.
    Logctl Port 0 ( can't edit it )
    Unexpected exception: /127.0.0.1:65511 - Connection refused.
    checked /system/app and found no HtcLoggers.apk

    • Jonathan

      Same here although I didn't run the app just no HtcLogger.apk. LeeDroid 2.2.9

  • Owen Finn

    This doesn't seem to be showing up on many phones... I've checked three and none of them have the htclogger.apk present.

    Is it carrier specific, perhaps?

  • Dave

    Thankfully I'm rooted and running CM7 on my Incredible. I'm also glad I haven't gone back stock and grabbed GB yet.

    Now we wait for APple to sue HTC for patent infringement for installing apps that secretly collect personal data. :D

    • Rich

      hey dave, i am thinking about rooting my increadible. have been looking for some first person thoughts on doing it and wondering if you could point me in the right directions for info and instructions on doing it.

  • Brian

    For me and all other HTC owners, please clarify what we should do in response.

    1) Is it really necessary to root the phone? Can we just connect our phone to a Windows pc, find the files and delete them that way? If a root is necessary, please provide a link to a walkthrough.

    2) What exactly needs to be removed? HTCLogger.apk? HTCIQagent.apk? HTCfeedback.apk? Anything else? How about the log files themselves?

    Thank you, you're doing important work! I hope you're shaking things up at HTC.

    • Paul

      Brian. It's only for HTC phones using SenseUI, which is HTC's customization to Android. You can't simply delete the files, they're in a protected area and you will need root to remove them.

      Once you're rooted you can use an adb shell, which is a little complex for the average user, to remove the files. The easiest option is to install Titanium Backup Pro and you can use the SW to uninstall software in the core (aka /system/app) protected memory.

      Personally, if I had an HTC phone with SenseUI right now, I'd remove:
      androidvncserver.apk
      HTCLogger.apk
      HTCIQagent.apk
      HTCfeedback.apk

      • yahtzee50

        Paul. I have never rooted before and I am a little intimidated by the process. However, do to this unfortunate event, it is obvious that i should get over my fears and jump in to the rooting world. Would you recommend Revolutionary being the easiest way?

        Edit: Is this vulnerability affecting the Thunderbolt's recent update to gingerbread? Or is it affecting Froyo also?

        • Paul

          I'm not 100% sure but since it affects SenseUi which is a wrapper around Android, I imagine it'd affect both Froyo and Gingerbread since there's SenseUI for both. I've heard good things about Revolutionary and it's ability to root, I'd definately give it a shot.

          rooting isn't that bad. You can take it to crazy lengths and modifications, custom rom's, etc. but you don't really have to. You can keep the stock ROM and just have it rooted to have access to remove bloatware, try out better software like Titanium Backup, etc. and most of the time root can be undone if you're really concerned about it.

  • Paul

    At least the T-Mobile G2 (aka HTC Vision) is an HTC phone that did not come with Sense. So G2 users should be safe. My own G2 is running CM7 so I'm safe.

  • Michael

    Mytouch 4g slide is vulnerable as well

    • Paul

      Yeah. I was just about to get this phone for the wife also. Was going to sell her HTC HD2 for $175 and pick a MT4GS for about $350 on craigslist. $175 for a phone upgrade and not having to renew the contract is great. I wasn't planning on rooting it but now the first thing I'll do when I get this phone is root it and remove:
      androidvncserver.apk
      HTCLogger.apk
      HTCIQagent.apk
      HTCfeedback.apk

  • WW

    Wait, what?

    *burns his HTC Sensation*

    • Simon Belmont

      I read that as you having a "burning sensation" and I laughed. Sorry. :D

      Better get that checked out. Pronto. :P

  • http://www.fosterrefrigerator.co Blast Chiller

    This is why you should install trustworthy ROMS like CyanogenMod!

  • http://androidsuomi.fi androidsuomi

    Finnish HTC Sensation. Newest OTA installed (2.3.4), no htcloggers.apk present. Phone is 100% stock.

  • Axel Siebert

    Eh... when addressing HTC, you surely meant "The ball is in [y]our court.", right?

    • http://www.AndroidPolice.com Artem Russakovskii

      Doh, I have a problem with a "y" ke apparentl. :p

  • ZaInT

    This does not work on my Desire S with Android 2.3.4. and Sense 2.1.
    I think it's called the Saga in the US.

  • Ray

    I'd really like the article contributors to inform us of any apk. 's from the market or elsewhere that they are able to determine USED the exploit. This would be helpful for obvious reasons. I would surely refuse to ever use software from any company that decided it was ok to use the key under the mat once they knew it was there. Whether or not it was with malicious intent.

  • pm

    Confirmed vulnerablity on the HTC Evo Shift. Test app spilled data just as in the screencaps above.

  • Sam

    HTC Desire (Android 2.2) and HTC Sensation (Android 2.3.4, Sense 3.0) are clear, files not present and POC app gives "Connection Refused" on port 0.

  • http://www.mycomputerdoctor.net MyComputerDoctor

    ATTENTION ALL: I am an HTC Thunderbolt user and I just called Verizon (*611) and explained that I use my phone for extremely sensitive purposes and had the representative go to this site. I told her that as a long time customer I wanted a NEW PHONE. Guess what? I am about to take a ride to my local Verizon store... They are giving me a New Phone of equal Value. Free Upgrade Time....

    • yahtzee50

      Equal value? The thunderbolt is now worth $150 right? You would be downgrading, wouldn't you? Unfortunately, I bought the TB when it was first released. Let me know what they offered you.

      • http://www.mycomputerdoctor.net MyComputerDoctor

        In Verizon stores the TB is still $249.00 (refurbs are $149.99) but if they give me any trouble, I am going to cause a ruckus.

        • yahtzee50

          Ahh, I see. So if we decide to go this route.
          1. Should we be choosing a phone that does not have Sense?
          2. Will we have to trade-in/give them our TB? Does this also mean that we will have to wipe our phone?

        • http://www.mycomputerdoctor.net MyComputerDoctor

          I would definitely think that our case is much stronger if we do not go back to an HTC phone again.. And yes, I am sure we will have to give them the Thunderbolt back again.

      • http://twitter.com/#!/brandonjnunn bjn714

        In past when Verizon authorized a replacement NEW device, the values used are the full off-contract prices. So that is currently $569.99. The Bionic is only $589.99 just for reference. If they do things the same, it would only be a $20 difference for the Bionic. Good deal.

        • yahtzee50

          Doesn't the Bionic have worse (compared to TB) standby battery life though? My TB's battery life is bad enough.

        • http://twitter.com/#!/brandonjnunn bjn714

          yahtzee50, most are reporting that the Bionic has far better battery life than the HTC. Plus if you go to the extended battery, it doesn't look like your phone is pregnant with a lithium-ion baby.

        • http://twitter.com/#!/brandonjnunn bjn714

          yahtzee50 also there is a Bionic update in the pipeline that the leaked testers are saying boosts battery life considerably.

    • Balthazar B

      Congratulations! I wouldn't have thunk VzW would be so accommodating!

  • BOOM!!@&

    hmm looks like my next phone wont be an htc unless they get this fixed before the next htc is out. Nexus prime here I come.

    • Securityisportant

      NO MORE HTC FOR ME. NEXUS PRIME WITH STOCK!

  • Hans

    I am a rookie and the posts are confusing. Is there a way to prevent this?

    • Mark

      LOL. Just don't buy any HTC devices and you'll be safe.

  • Jaakko

    HTC Desire Z doesn't seem to have the aforementioned files, and the POC app throws "connection refused"-error on the screen, so I think it is safe.

  • Mario

    Htc desire ROM cool3d runnyv2,and yes I found that apk file HTC logger and deleted.
    So I guess its not only on stock room

    • http://twitter.com/#!/brandonjnunn bjn714

      If it is AOSP, it will not be there. If it is sense based, it is possible that the ROM dev left the file in there, probably not knowing that it was doing this.

  • http://Colibriofservice.de Tom

    On a German HTC Sensation Straight out of the Box there appears not
    to be this vulnerability , the POC gets me a connection refused on port 65511, and as I cannot input text I cannot send it directly to 59038, so I guess it's safe.

  • http://twitter.com/#!/brandonjnunn bjn714

    Dumped the data from my backup of 2.3.3 on Droid Incredible 2 and none of the files exist except the htcfeedback.apk (not mentioned in the article but only in the comments). I also dumped the 2.3.4 update as well and same thing. Looks like the Incredible 2 is safe.

    • http://twitter.com/#!/brandonjnunn bjn714

      The htcloggers.apk (htcfeedback.apk as well, but not sure what that one does) also seems to actually be in the Vigor RUU that was leaked. Don't keep this up HTC...

  • oxidant11

    So just check on my TB, the logger apk is their, I assume I can just delete it, right? Does it use any thing that would start fcing?

    • yahtzee50

      How did you check you check for this file? Are you rooted? Must you be rooted to check the system directory?

      I have ES File Explorer, however I'm unsure how to search for this exact file.

      • http://twitter.com/#!/brandonjnunn bjn714

        You may be able to VIEW the system directory without root, but not positive. In ES File Explorer, top the top left icon that looks like an SD card and it should drop you to the internal storage and you should be able to view the system directory. I believe this works without root.

        • yahtzee50

          Thanks ! I was finally able to get to this directory. However out of the four files that were listed:
          androidvncserver.apk
          HTCLogger.apk
          HTCIQagent.apk
          HTCfeedback.apk

          I only found:
          HTCLoggers.apk (with an s)
          HTCFeedback.apk

      • http://twitter.com/#!/brandonjnunn bjn714

        yahtzee50, try running the app download from above to see if it is vulnerable with the htcloggers.apk file being present. If so, you would need root to remove or try to follow the poster that got an exchange from Verizon for an unaffected phone.

      • ray

        I found it with astro. Just press up until above the SD card and then enter, SYSTEM/APPS

  • JoAnn

    Glad I have CM7 on my Incredible but that will be the absolute last phone I buy from HTC. Samsung, here I come.

  • noctem

    Tried it on my unrooted Desire (from Vodafone Germany with German Sense), connection was refused.

  • BOOM!!@&

    I contacted verizon and the rep I spoke with said it was the first time they heard of this and i referenced this article and they were sending it to the higher ups. So we will see what happens.

    • yahtzee50

      have you heard from them since? I did the same thing about 2 hours ago and haven't heard from them.

      • boom1378

        No I haven't heard anything i figured I wouldn't hear anything but maybe they will call back tomorrow or another day.

  • ray

    Sprint wasn't helpful at all. I called and was transferred from C/S to Tech, and got someone who knew very little about tech. They insisted that it was not possible that HTC placed software on my phone which would allow such access. Will be contacting Sprint through their web site to get further help.

  • http://cad.cx/blog Colin Dean

    I've tried this on my girlfriend's HTC Sensation 4G from T-Mobile.

    When opening the application, the logctl port is 0 and I'm not able to change anything.

    I believe this indicates that this model is not affected.

  • http://verb0ze.net verboze

    Nicely written article, with a POC. While I'm not affected by this, it's nice to know the intricate details of the problem so we can decide for ourselves the severity of the issue and better defend against it.

  • Jim

    Nice write up Artem. Easily understandable & explained very well. I, too, hope this gets resolved asap!

    -used to be a near-future HTC phone buyer(after my current DX), but that thought has now changed if they're going to be pulling shit like this

  • randoom

    Shift has this problem according to the program.

  • pjv
  • https://market.android.com/details?id=com.rootuninstaller.free David

    Using Root Uninstaller to remove HtcLoggers.apk.

    https://market.android.com/details?id=com.rootuninstaller.free

  • Nick

    Could the remote access app be used when you locate your phone or do something with it via the sense website? In which case, you are giving them permission to use it when you agree to the terms.

    • http://www.AndroidPolice.com Artem Russakovskii

      A VNC server is not used for tracking, it's used for remote access.

    • http://twitter.com/#!/brandonjnunn bjn714

      That does make sense and to verify, I am downloading an Incredible S RUU to compare to my Droid Incredible 2. The Incredible S can access the HTCsense.com and the Incredible 2 cannot. Let's see if the vnc app is there. I will report back once I dump that ROM.

      Edit: to clarify, it makes sense that it is needed for access to the phone, not for directly tracking. Theoretically, if it gave access to HTCSense.com and used the VNC protocol, it could access the logs and data stored on the phone though.

  • jjdavidiot

    Running a unrooted Inspire 2.3.3 with Sense 2.1 and it appears to be in the clear.

  • Ron Amadeo

    Wow. Good job guys. There's even a proof of concept. <3
    This is the kind of work Android websites should be doing. Other sites are busy reposting rumors from 4chan trolls and you guys are doing serious research about an important issue.
    I'm proud to be here.

  • http://none James Hill

    Another reason to run AOSP roms! Phone manufacturers, WE DO NOT WANT YOUR CRIPPLED USER INTERFACE. STICK TO MAKING HARDWARE AND NOT SOFTWARE

    • http://twitter.com/#!/brandonjnunn bjn714

      While I am a huge advocate of AOSP based ROMs and AOSP in general and I do run AOSP ROMs myself, I do not entirely agree with this. The majority of customers buy the phone for the software, not just the hardware. Yes power users and hackers alike may want to get rid of it, but I don't think that OEMs should drop their own UI. That is the point of Android, to allow OEMs to customize to suit their target audience. I do disagree with data collection without express and clear user permission though.

      What I would like to see from the OEMs would be to have the option to use either the carrier modified OS or vanilla Android with a developer accessible option that way the manufacturer skin can be turned off. I doubt that will ever happen since that means 2 sets of code for every device, but I feel that would be the best implementation to appease those of us who do not want the custom software.

      • http://twitter.com/#!/brandonjnunn bjn714

        Hmm... So that is interesting. I looked through a few ROMs that I dumped from the Incredible S (which can connect to HTCSense.com) and the VNC app is not there. So it is possible it is framework for future or it provides additional features to the website, but I cannot verify that for sure just from a system dump. Just to note, the logger is not present on the Incredible S either, but there are many builds out there and I only looked through the 2 most popular ones since the downloads take forever unless you pay the file sharing site they are hosted on.

  • opp

    I submited a case to http://www.htc.com/us/support/e-mail asking HTC what they plan to do to fix this problem... i would suggest everyone to send them a case. Im tired of phone manufactures locking features or logging crap like this based on carrier request.. i mean if your hardware is awesome why screw it up.. I think plain Vanilla android without crap added should be an option.

    • Ray

      I submitted a request... Waiting for response

    • yahtzee50

      Response from HTC:

      You were wondering about some concerns about the security and access to personal information on your HTC ThunderBolt. I would be more than happy to assist you with this security inquiry. I understand your concerns about the safety of your personal information and we are investigating it. I will forward your information to the next level for further review. I would recommend that you keep an eye on our public domain sites like http://www.htc.com/US along with Facebook and Twitter for any developments. I thank you for your input concerning this issue.

  • Gabriel M. Beddingfield

    Thanks for the warning. Didn't find it on a T-Mobile Sensation 4G (Android 2.3.4, HTC Sense 3.)

  • yahtzee50

    I called Verizon and spoke with a supervisor. No luck, they tried to assure me that their networks were safe and that I had nothing to worry about.

    If anyone else has success, please let me know.

    • http://twitter.com/#!/brandonjnunn bjn714

      What department were you in when you spoke to a supervisor? Even if you choose tech support, you get customer service first to help reduce unnecessary calls to tech. You need to make sure they are in tech and keep trying. You are bound to find someone who will understand.

      • yahtzee50

        I called and originally spoke to their C/S, then I finally got transferred to their actual tech dept. After speaking with the tech's first line of defense, I was finally on the phone with their supervisor.

        • http://twitter.com/#!/brandonjnunn bjn714

          You may want to try again and direct them to this write-up since it is an issue where ANY app that requests a seemingly harmless permission to access the internet could get this information if it were malicious. It has nothing to do with the security of Verizon's network. You may not get them to agree, but it can't hurt to try again in the hopes that you will find someone who actually understands.

        • yahtzee50

          Yah, that's what I did :( I even explained that the security of their networks was irrelevant to our conversation. I may call again tomorrow in hopes of finding someone more competent.

          Thanks again for all of your support :D

  • Drootz

    So should I uninstall these files?

    Or do I just delete them?

    if I just delete them will anything start force closeing?

    I have a thunderbolt and found the HTC loggers.Apk

  • dreamcaster

    Verizon Incredible 2 looks safe for now.

  • Tarun Elankath

    This is extremely disturbing. They have basically left their Sense phones wide open for data collection.

  • TheDrake23

    Found the loggers on a european Desire HD(rooted,debraned and with custom rom <-<)

    Can I just delete the apk? or do I have to do some thingamajic?

    (It's my wife's phone, I myself am a HD7 user <-<)

    • http://twitter.com/#!/brandonjnunn bjn714

      You could delete it, but you may consider renaming it to .bak or freeze with Titanium Backup so you can put it back if you need to, as deleting it could prevent OTA updates from applying properly.

  • http://androidsuomi.fi androidsuomi

    We have tested now multiple sensations and 2 evo 3d, Nordic, stock, WWE edition phones. The HtcLoggers.apk is not available on the devices, so this is a issue only with operator locked / US-editions of the devices.

  • Kurt

    Great post, Artem. My HTC Evo 4G runs the stock rooted Gingerbread 2.3.3. I had the HtcLoggers (with an S) APK. Is there any difference?

    Looked with Total Commander, mounted /system/app RW, then deleted the apk. The phone immediately started FC'ing over and over. I couldn't even click the 'restart' choice. One battery pull later, the phone seems to be working normally.

  • Ray

    This is my response so far from HTC on the matter

    You were wondering about some concerns about the security and access to personal information on your HTC EVO 4G. I would be more than happy to assist you with this security inquiry. I understand your concerns about the safety of your personal information and we are investigating it. I will forward your information to the next level for further review. I would recommend that you keep an eye on our public domain sites like http://www.htc.com/US along with Facebook and Twitter for any developments. I thank you for your input concerning this issue.

  • Carms

    Can you confirm with screenshots or any other evidence if by "Others" any T-Mobile HTC phone is included such as myTouch 4G, myTouch 4G Slide, and Sensation? If yes, I know the team that might be able to help for our devices. I do think HTC rocks and so far our phones at T-Mobile with HTC have been pretty excellent. Cannot say anything about the EVO at Sprint or Thunderbolt at Verizon. But if our T-Mobile phones are not included expose that as well.
    Obviously as with any statistical inference mathematically you would need to test several devices and variables to make this assumption as this could be an error of particular phones missing an update or other apps interfering with security.

    I read your whole article and it seems that your data is incomplete and mostly personal and in relation to Sprint phones.

    I'm not concerned about phones that are non-T-Mobile. Our myTouch devices run mySense which is a bit different (except Sensation which is pure HTC). Keep me posted so I can pass this up to the right people, I'd definitely like to help if any of the phones I support are particularly involved and if it involves more than just one or 2 people that can verify this.

    I'd definitely be convinced if at least 1% of users are affected (10K minimum even 5K 0.5% but 1-2 people doesn't seem like a flaw of the system to me that I would go on and spread such news. We've sold over 1 Million myTouch 4G and so far no issues ever. *I don't endorse creating fear in a trusted product without having enough evidence.* - Carms

    • Ray

      Devices were named. And a recommendation to test your device was made. Not sure what all your stats are for...

    • http://twitter.com/#!/brandonjnunn bjn714

      Above one user did confirm on their myTouch 4G Slide that it was vulnerable to this security exploit.

      Later this evening I can visit my father and check his myTouch 4G.

      If you have access to these devices, you could test with the above app (only real way to test) or look for the files with a file explorer on the phone.

      Just because customers have not experienced issues on a newly discovered security hole does not mean they will never. Also it is just not good knowing that they are logging this data without express consent and it is logged in such a way that it can be accessed by using the most common app permission. The purpose of the app permissions is to prevent things like this.

    • Erika

      The files aren't present on my MT4G running 2.3.4

  • http://zekeweeks.com +ZekeWeeks

    Not affected on my stock 2.3.4 HTC Incredible. (Refuses connection)

    • Matt P

      Same for my DInc.

  • http://electrojelly.wordpress.com Emmanuel

    Oh no! Who could have known that. This is unbelievable... Give me a break. It's an open source platform. Of course something is going to leak out.

    • Collin

      ...This Has To Do With HTC Sense Which Is CLOSED SOURCE...Read The Article Before You Make Idiotic Comments...

  • Simon Belmont

    I just checked my old Sprint HTC Hero and the only .apk that's there is the HTCIQagent.apk file. That has been there since I got that handset in early 2010, which I still use as an Wi-Fi enabled Internet device.

    I still need to check my Sprint HTC EVO 3D and my wife's Sprint HTC EVO 4G. If I see the logger I will remove them or switch to a custom ROM like CyanogenMod 7.

  • Paul

    I'm glad I don't live in the USA. Seems all sorts of horrid privacy invasion is going on there.

    • asdfkkk

      True, so very sadly true seems! Seems it's spiking up worse every day. The fight to get our personal data seems to be spearhead by the likes of FACEBOOK! That is backed by .. well, not so privacy-friendly folks seems.
      Trust no one, NEVER!

  • Rami

    Tested on my Brother's Droid Incredible 2 and it's safe. Says N/A and then says something about the network failed or blocked. And i did the getimportantinfo setting

  • jim

    Unrooted Tfail. I have Astro and it gives an opion to remove the .apk file. Will this adversely affect the rest of my phone? I'm really not wise on too many mods, but I also do not want private info accessed without my knowledge.

    • http://twitter.com/#!/brandonjnunn bjn714

      If you are un-rooted, if you choose that option it will fail because you do not have r/w permissions for /system. You have to have root to get rid of it or wait until HTC fixes it, unfortunately.

  • dbaines

    HTC Incredible Android 2.2 (Verizon)

    Unexpected exception: /xxx.x.x.x:65511 - Connection refused

    Yay for older phones! :)

    • Alex

      Confirmed. Though the xxx.x.x.x is just the loopback IP 127.0.0.1 ^^;;

  • z3ro

    Looks like the htcloggers.apk is present in the 2.3.5 Desire HD Sense 3.0 build. I'm running a build based on this release on my Incredible and the app is present. Gonna run the POC and see what happens. Will report back with results.

    • z3ro

      Well the app is present but the poc comes back with errors. Refused connections and unexpected exceptions, so while present, looks like those builds are safe.

  • JackV

    HTC: Quietly Draining your Bank Account

    • http://twitter.com/#!/brandonjnunn bjn714

      I doubt HTC had any malicious intent here. Likely it is meant to be the framework for some upcoming support system. They should not, however, included a logging app without the appropriate consent and disclosure first. And maybe a little bit more security testing couldn't have hurt. The point of the article is that because of an oversight of HTC, these devices COULD be susceptible if the user downloaded an app that included code to exploit it.

  • JezNZ

    HTC Desire running official stock 2.3.3:

    Connection refused!

    • Grant

      Agreed. I have Desire 8181 with Official 2.3.3 and logger file does not exist.

  • http://www.Google.com DJ

    This file isn't in cyanogemnod 6.1 or 6.2 and i don't see that file anywhere on any of my Nexus One 's .

    So as far as i can tell this exploit isn't on the n1.

    • http://www.Boycotfacebook.com Thom

      yea dont have that file on my nexus either.

      CM7 gingerbread

  • http://twitter.com/#!/brandonjnunn bjn714

    troll .

  • xterm

    Rooted HTC Thunderbolt running the latest stock official FROYO rom (2.2.1) here. I haven't made any changes to the stock firmware (haven't even uninstalled any VZW bloatware yet), but I can't find HtcLoggers.apk on my phone anywhere (don't see it in /system/app in Root Explorer). The POC application also is unable to establish a connection, so maybe this security hole is only affecting TBs with updated Sense/Gingerbread?

    • http://winrey.tmhk.it Eric

      xterm I can't find it on mine either, the POC application is also doesn't establish a connection on mine either.

      Running Android 2.2.1
      Baseband 1.39.00.0627r
      Build 1.70.605.0

  • http://post.offbeatmammal.com Offbeatmammal

    the biggest problem is not that this exists, but how long it'll take to get a fix (if one is every made available) baked for all the affect devices, tested, handed off to the operators, approved by them, neutered as required and pushed to phones.

    much as people gripe about the iPhone and WP7 platforms at least roll outs are quick and across the board...

    While I've resisted going down the cyanogenmod route with my current phone (not 100% happy with everything they're rolling into their ROMs and the hoops still required to jump through to get installed on some handsets - though that's still down to HTC) this might be the tipping point

    • http://www.Google.com DJ

      If you dont like CM you should check out some of the ports on XDA-Developers , they are working on getting FM transmit working on many of the 1st and 2nd gen phones.

  • Matt S.

    Desire HD does not seem to be affected.

  • James Katt

    HTC is DEAD as far as I am concerned.

    Not only did they put the keys to your home under the mat, they left tools in a toolchest, ladders, an open telephone line and an open wi-fi interent access to the contents, and left instructions where you can find the jewels, which are in an opened safe.

    Wow. This is breathtaking and DELIBERATE.

    • http://www.Google.com DJ

      The outlook looks pretty grim for them.

      The patern unlock bug and now this.
      I hope they have a good damage control team.

      • http://twitter.com/#!/brandonjnunn bjn714

        To which pattern lock bug would you be referring? The one affecting the Samsung Galaxy S II that just was discovered? Wrong company.

        • http://www.Google.com dj

          hey buddy fuck off PLEASE.
          its all android anyway you look at it

        • Collin

          DJ...the UI's are completely different and the vendors include different system files...has nothing to do with Android it has to do with shady manufacturers.

        • http://www.Google.com dj

          I know all about it collin.

          The sense UI and AOSP. They all contribute to the same pool files.

    • http://twitter.com/#!/brandonjnunn bjn714

      DELIBERATE? REALLY? Not likely. Sure they know they put the app there, but a security flaw in the app does not mean they are doing anything intentional. Unless you have proof they are mining this data themselves, you are making guesses. Let's stick to facts here. Instructions? If that were the case you would have had malware already on these devices, some of which have been running this software for months.

  • http://boycott.htc.com noiremenada

    I have loved my EVO 4G....... But this explains why I thought my phones had been cloned. They probably have been. I will never ever buy another HTC product as long as i live. This is criminally negligent at best.

  • Junito

    Can't wait to run Google wallet on my shinny new device.

  • f3hunter

    Well I was going to say..Glad I have a DroidX. But who knows, they all probably have their hands in the cookie jar one way or another. Great work finding this vulnerability, these companies need to realize this will not be tolerated.

  • Manny

    i'm rooted evo 4g and i'm trying to delete HtcLoggers it says error deleting files

    • m33p

      I had to use Root Explorer. You can't delete using Astro and I was unable to delete using Titanium Backup.

      • Manny

        yeah i couldnt with astro or any other root explorer i ended up deleting it with titanium backup after it deletes it will say force close once the task is done it will continues to say force close until you finally do a battery pull after that you'll be good.

  • Roger Andreas

    I can't believe what I'm reading. Why would any company be that negligent about gathering customer information like that?

    This has class action lawsuit written all over it. If I were an exec at HTC, I'd be scared sh$%less right now.

  • http://SpectreWriter.com JT

    What happens to the 3D cam and all the rest if we go to CyanogenMod instead?

  • dadiweb

    HTC Desire HD, Germany/O2 brand, with Sense. Installed app, Connection refused. None of the files shows up in search.

  • Alain S├ęzille

    Hello,
    I have a Wildfire S with HTC ROM ans still s-on, not rooted thus.
    Your apk is giving me an error message unexpected exception: /127.0.0.1:0 - connection refused
    However, I can not set the port on any other value than the initialized 0!
    No paste, no keyboard showing when pressing the port number...
    I just can copy it to the cilpboard, but seems fairly useless.
    Would you check that your application is able to let me change the port to test?
    Thank you anyway for warning us about such a major security breach!

    • Noname

      when you used that apk, did you turn the wifi on?

  • http://seguridadmobile.com Alberto

    This year I discovered a Directory Traversal vulnerability in the OBEX FTP service in HTC devices running Android 2.1 and 2.2 which allowed a remote attacker to download any file (contacts database, email database, FB database) via Bluetooth with few permissions.

    Here is the advisory, http://www.seguridadmobile.com/android/android-security/HTC-Android-OBEX-FTP-Service-Directory-Traversal.html

    I contacted HTC in February and did the follow for 5 months!!! After that time I was forced to go public because the company would never admit the security flaw. As far as I know, the company has not release any security fix yet.

  • Daniel

    Okay, awesome. But after removing the apk(s), where is the data stored?

    Just removing the apps does not help as the data is still there!?

    • http://www.AndroidPolice.com Artem Russakovskii

      The data is stored in /data/data/com.htc.loggers, but if the APK is removed, it will not respond to commands and won't tell you the exact file names of where the data is saved. Since /data/data is protected, apps need to know the exact file names in order to access them (this is different from Linux, surprisingly - there, they wouldn't be able to read anything under /data/data at all).

      • Noname

        can you let me know if the wildfire S has this massive security vulnerability?

  • Someone who actually cares about security

    You attention seeking fool - you could have given HTC a couple of weeks to respond, but instead you've exposed thousands of users to this vulnerability...

    • m33p

      You're the fool, you fucking moron:

      http://en.wikipedia.org/wiki/RFPolicy

      ^Which is exactly what Trevor did.

    • http://www.AndroidPolice.com Artem Russakovskii

      Welcome to the world of security.

  • Noname

    Has somebody checked on the Wildfire S?

  • http://nikolaenko.ru/ Denis Nikolaenko

    This should have been dealt with more delicacy instead of posting after a week. This article and PoC effectively exposed many users to this vulnerability. HTC is a monstrous corporation, they need massive amounts of time for this shit to flow to the tops. A month should be more appropriate, than a week. At least a threat should have been made to HTC to disclose this thing or disclose in some very very vague terms.

    • Rich

      Thats a very company minded position protect the big guy screw the masses. How much potential data could be transmitted in a month....... go back to your desk.

    • f3hunter

      I agree with Rich, besides..HTC knew it was there, it's there a for their own reasons. They mostly likely already had a fix sitting on the shelf for this very moment. Their damage control teams are more worried about covering their own ass right now than getting the fix to the public.

  • Rich

    My phone HTC Sensation Z710e Android 2.3.4 Sense 3.0 Software 1.45.161.1: Your POC apk fails and /system/app/HtcLoggers.apk does not exist so evidently not vulnerable.

  • My Name

    Hiho,
    I've found the App on my 16GB WiFi only Flyer (Stock ROM 2.3.4).
    Thanks to unrevoked & Alpharev for root access. ;)

  • jamie

    Didn't relise was only us phones thought it was htc in general

  • http://twitter.com/AlexOnVinyl @AlexOnVinyl

    Does it collect passwords at all? or is that redacted?

  • ogreboy

    Does blacklisting (using something like watchdog pro) HTCLoggers to 0% CPU help to reduce the potential exposure to this problem? Thouight that might be a potential solution to those of us without root.

    • yahtzee50

      This is an interesting questions. Please let me know what you find out.

  • cosmin

    For the amount of data and the importance of the respective personal data they get out of the paying customers, they should release the devices for free.

  • http://www.sirajsolutions.com sultan chughtai

    Hi all,
    I just downloaded the tool and ran it on my HTC Inspire and got the following message:
    Unexpected exception: /127.0.0.1:0 - Connection refused
    So it seems that I mighr be safe? If someone can second this then it will my weak heart some courage ;-(

  • http://www.sirajsolutions.com sultan chughtai

    Hi all,
    I just downloaded the tool and ran it on my HTC Inspire and got the following message:
    Unexpected exception: /127.0.0.1:0 - Connection refused
    So it seems that I might be safe? If someone can second this then it will my weak heart some courage ;-(

  • Bazar6

    What in the world... I thought HTC was going to kill Sammie and Moto, with Sense and customer satisfaction... if this goes beyond AP it could definitely put a dent in their PR with existing and future customers... It'll make me double check next time I get an upgrade.

  • RPFarrah

    FWIW: running MIUI on an HTC Incredible 2 and did NOT find the htcloggers apk.

  • Art

    The privacy law police could have a field day with this.

  • Drewskeetz

    ive put a "freeze" on htcLogger however I also see a 'netLogger 1.1 gingerbread", "PowerLog Collector", "VPN services 2.3.5"...should I freeze any of those as well?

  • http://www.sirajsolutions.com sultan chughtai

    Hi all,
    I just downloaded the tool and ran it on my HTC Inspire ( by ATT) and got the following message:
    Unexpected exception: 127.0.0.1:0 - Connection refused
    So it seems that I might be safe? If someone can
    second this then it will my weak heart some courage ;-(
    Also, I enabled the WiFi and still got nothing!

    • Tanya

      I'm a little clueless about these things... can you tell me what tool you're talking about?

  • http://www.sirajsolutions.com sultan chughtai

    I just downloaded the tool and ran it on my HTC Inspire ( by ATT) and got the following message:
    Unexpected exception: 127.0.0.1:0 - Connection refused
    So it seems that I might be safe? If someone can
    second this then it will my weak heart some courage ;-(
    Also, I enabled the WiFi and still got nothing!

    • Me

      Same here. Also searched the phone for the HtcLoggers.apk and found nothing.

  • Raz

    Installed and tried POC app on Sensation T-Mobile U.K. Stock. Looks to be clear.

    Could only find HTCfeedback.apk

    Still...this VERY helpful article has pushed up my timetable to install a custom ROM.

  • boppy

    Desire Z - O2 Germany not affected.

    Android 2.3.3
    HTC 2.1
    Build 2.42.405.2 CL84109 release-keys

    Nothing special (not rooted, not modified anyways)

  • blondie

    Is it definitely only US phones affected?

  • not enough time

    I'm sorry but five days isn't good enough for a major vulnerability discovery within a large company let alone time for a fix. Have you ever worked at a large company before? Guess not. It can take up to two weeks to find the right person who can deal with the issue and escalate it in the correct bug tracker. Also, what if the "right people" are all on vacation? Plus, there are these things called spam filters that block e-mails, so it is entirely possible that no human being ever saw your message.

    And, before you quote to me that you abided by a Wikipedia article, I'm surprised no one has pointed out that is a stub, NOT notable, highly disputable, and NOT an official policy in the security industry. You didn't specify what methods of contact you attempted. So as far as anyone can tell, you didn't make any real attempt to contact HTC. Things you should have tried: Multiple e-mails to different people (at least two new e-mails each day), multiple phone calls, a couple of faxes, snail mail, and perhaps getting your butt out of your chair and walking into a local branch office that might have better contact information. If you didn't try these things, then you didn't try.

    Contact forms on websites almost never work - you'll get some office drone at best, some incompetent support system in Kizblehkistan at worst, with a high likelihood of the message getting dropped by a spam filter.

  • masi

    Thanks for all your work. GJ on this! Tested with Proof of Concept app, HTC Desire HD with latest (01.10.11) Virtuous ROM dosn't seem to be affected (app throws unexpected error, no connect possible)

  • Pinball_Newf

    Desire HD running Android Revolution 6.1.0 - file is present, POC app works... Deleted .apk

  • Jake

    I can't wait to use Google wallet with my new Android device. I want to store all my credit cards information right in my phone.

  • Ed

    Rootie tootie cutie boot. Thanks for the heads up, but I can't even understand half of what y'all are talking (writing) about. Long as my phone works I don't care if someone knows all this stuff. But I'm certainly glad that you folks keep on top of this. Eventually there will be some kind of 'fix', I'll check back then and see if you folks think it's worth a crap. In a past life I was involved in electronic and video, um, 'eavesdropping'. Privacy is a myth and people do some stupid shit when they don't think anyone is watching.

  • Az

    Stock Thunderbolt (not rooted) and I do not have the offending software. Program returns a connection refused.

    Unexpected exception: 127.0.0.1:0 - Connection refused

    Android 2.2.1

  • Mark

    HTC Desire A8181 UK model
    Gingerbread 2.3.3

    Connection refused, port 0

    I'm a newbie and I don't know what it means when it comes up with port 0. Does this mean the Desire is OK?

  • RD_Incred

    I searched my Incredible and I don't see HTCLoggers.apk in the system/app folder are Incredibles safe from this security breach.

  • PinkElephant

    where you find 65511 port?
    on my Evo 3D this port is closed,

    top show that process com.htc.loggers is ranning

    you application show error Connection refused when started.

  • AndroidPoliceIsCool

    Nice work. Thanks for going to the trouble. You are really patient with all the RTFM questions you get from people who don't read the post carefully.

  • Steve

    What if you don't have HTCLogger?

    • yahtzee50

      You should be ok, but run the app ^^ just to be sure.

  • Clev

    After just getting a huge update from Verizon on my HTC Incredible 2, I'm getting "Unexpected connection: Connection refused." Whew!

  • Owen Finn

    I have tried this one on about a dozen different phones this past weekend (including a few on the list) and none of them showed the logger APK or any sign of collecting data.

    I'm in Canada.

    This, to me, points to carrier-specific issues! Update your article!

  • RockingmyEvo3D
    • squiddy20

      Wow. You do realize AC got their info from THIS website, right? What a moron.

      • yahtzee50

        He's just practicing his ability to create infinite loops. XD

  • Musel

    HTC Desire Z Germany model
    Gingerbread 2.3.3

    Connection refused, port 0

    Thanks for going to the trouble

  • Meredith

    Connection refused on myTouch 4G (not the Slide version).

  • fanboi

    get an iphone losers

  • http://www.lawyerviews.com/HTC-Evo-4G-privacy-lawsuit.html M Spark

    Looks like a law firm has a class action lawsuit over this flaw:

    http://www.lawyerviews.com/HTC-Evo-4G-privacy-lawsuit.html

    • http://www.AndroidPolice.com Artem Russakovskii

      Oh my...

Quantcast