If you’re presently using an HTC Android device, chances are you’re a sitting duck for malicious hacking. Working with security experts Justin Case and Trevor Eckhart, Artem Russakovski of Android Police, reported about a security flaw in HTC Android gadgets that could potentially allow intruders to access sensitive information on your Android device.

Although Russakovski explicitly mentioned the HTC EVO 3D, HTC EVO 4G, and HTC Thunderbolt, there is a big chance that other HTC devices are also affected. Case, Eckhart, and Russakovski are still investigating the matter–and they are finding new issues the deeper they dig. Devices running stock HTC Sense are affected. Those running custom ROMs such as CyanogenMod, which are based on the Android Open Source Project, don’t seem to be affected.

The vulnerability apparently comes from a bunch of info-collecting logger tools that HTC pushed out to its devices through recent updates. Ideally, the information collected by such tools should only be accessible by privileged services or selected users. However, it seems that, on affected HTC devices, any Android app requesting android.permission.INTERNET can access

  • the list of user accounts, including email addresses and sync status for each;
  • last known network and GPS locations and a limited previous history of locations;
  • phone numbers from the phone log;
  • SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely);
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info.

The INTERNET permission is usually used by apps that require an Internet connection in order to function (e.g., for online interaction, for ads publishing/fetching, and the like). Such permission does not usually include permission to access other data such as your emails or phone log.

Russakovski believes that an HTC device can theoretically be cloned by using the information leaked through the said vulnerability.

Russakovski also asserts that HTC is to be blamed for this vulnerability, since “the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It’s like leaving your keys under the mat and expecting nobody who finds them to unlock the door.”

HTC has already been contacted and informed about this particular vulnerability. However, the company has not yet issued any statement, much less a solution.

HTC may produce a patch for the vulnerability any time soon, but while such a patch is not yet available, Russakovski suggests rooting as a preventive measure. After rooting your Android device, the package file called Htcloggers should be removed immediately from /system/app/HtcLoggers.apk. It is also wise advice not to download or install apps from unreliable or suspicious sources.

To check whether your device has this vulnerability, hop over to the report about it on Android Police. Technical information is available there, as is a method for checking for the existence of the vulnerability on your device.