Threat alert: Smartphone security flaw makes executives vulnerable

It's no longer a rumor: HTC smartphones have a major security flaw. One of the world’s largest smartphone manufacturers, HTC has announced it is working urgently on a patch to fix the problem. The vulnerability, discovered by the blog Android Police, exposes nearly all of a user’s data to any app that can access the Internet from the handset.

According to the blog, the problem is not specific to Android, but is the result of HTC adding its own tools to collect data from users, perhaps to improve its services. But these tools also enable apps to get access to information such as user accounts, GPS locations and phone numbers.

Obviously, this is a big concern for corporate security executives. Think about the potential damage that a leak of proprietary data from a company executive's smartphone can cause.

The flaw affects the HTC Thunderbolt and the HTC EVO 3D and 4G, among others, which run on the Android operating system. To illustrate, a malicious application could be created that only requests Internet access but in reality is gaining access to personal information, including the exact location of the Android user. Nicholas Percoco, senior vice president and head of Trustwave SpiderLabs (and a recent contributor to STE -- securitytechnologyexecutive.epubxpress.com/link/STND/2011/sep/76) recently sent me his insights on this security issue:

What are the security implications? Once the malicious application is connected to the HTC logging service, the hacker is able to export information without the user knowing or granting permission to do so. Once a hacker has this type of access, they can obtain any information they want. The sky is the limit for the nefarious activity that could come from it.

How can the data be stolen? A malicious application just needs to connect to the HTC logging service listening on a local network port on the Android device. Once connected, the application Htcloggers.apk (developed by HTC) is waiting for commands. Upon issuing pre-defined commands, the malicious applications would be able to access and export information kept in the HTC logs to an external system (controlled by an attacker) without the user knowing or granting permission to do so.

What can users do to protect themselves? While HTC works on a patch for this issue, users can "root" their Android device and independently remove the vulnerable application.

Visit www.trustwave.com/spiderLabs.php to learn more about Trustwave SpiderLabs.

Loading