Trevor Eckhart outlined a proof-of-concept attack in a YouTube video. Eckhart said that he informed HTC of the vulnerability on Sept. 24, but has heard nothing in reply. He waited five business days before publicly disclosing the vulnerability.
The flaw, which affects multiple models of HTC smartphones running Android, could allow attackers to steal a user's GPS location, SMS data, and phone numbers, Eckhart says. Any application granted Internet permission can access the HTCLoggers.apk file, which records user information, he notes.
HTC said Monday it is investigating the bug report. "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible," according to a statement released by the company. "We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."
The HTCLoggers vulnerability has been verified by researcher on Android Police, who called the flaw "massive."
"It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door," the reviewers said of the vulnerability.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.