HTC fixes Android data leak vulnerability - users told to updateby Steve Ragan - Oct 26 2011, 14:00
HTC has delivered on a promise to fix a data leak vulnerability discovered earlier this month. The patch, which is being delivered Over-The-Air to T-Mobile and Sprint subscribers, is an encouraged update for all customers.
Earlier this month, application developer Trevor Eckheart, along with Artem Russakovskii and Justin Case, initially discovered the problems after an update to the Sense UI (user interface) was released by HTC.
The update installed some new tools to their devices, which can be used to extract personal information simply by installing a malicious application that requires Internet permissions.
It allows any Android application that connects to the Web or shows ads to access a list of user accounts on the device, including email addresses and sync status. In addition, one can also access last known network and GPS data, along with a limited previous history of locations.
Moreover, the buggy tools expose phone numbers, SMS data, and other system logs. The SMS exposure includes encoded text, but it is unknown if this data can be decrypted. Also of note is the installation of 'androidvncserver'. As the name suggests, HTC has placed a VNC application on devices, but with no explanation as to why.
“Sprint worked closely with HTC after reports emerged of a potential issue that could allow malicious third-party apps to compromise data on Android devices made by HTC. We urge all users to install the update promptly,” the company said.
Additional information on the Sprint patches can be seen here. The update covers those using the EVO 4G, 3D, Shift 4G, Design 4G, View 4G, and HTC Wildfire S devices.
T-Mobile is also pushing updates for myTouch 4G Slide and G2 devices. Thunderbolt updates are packed inside the Gingerbread installation being pushed by Verizon. For those who have not seen the OTA updates, you can attempt a manual update by going to:
Settings - System updates - HTC software update - Check Now.