I am no security expert but based on the video and the information, it seems to me that HTC needs to plug the hole to this security vulnerability and they need to do it fast.
From the information, only one request to allow access to the Internet is needed to gather all your personal information on the phone. These are the data that are gathered: –
- active notifications in the notification bar, including notification text
- build number, bootloader version, radio version, kernel version
- network info, including IP addresses
- full memory info
- CPU info
- file system info and free space on each partition
- running processes
- current snapshot/stacktrace of not only every running process but every running thread
- list of installed apps, including permissions used, user ids, versions, and more
- system properties/variables
- currently active broadcast listeners and history of past broadcasts received
- currently active content providers
- battery info and status, including charging/wake lock history
- and more
To me, this is serious as malicious app can gather these information in the background.
and here is the video.
So far, they have found issues with these models of HTC phone.
Note: Only stock Sense firmware is affected – if you’re running an AOSP-based ROM like CyanogenMod, you are safe.
- EVO 4G
- EVO 3D
- EVO Shift 4G? (thanks, pm)
- MyTouch 4G Slide? (thanks, Michael)
- the upcoming Vigor? (thanks, bjn714)
- some Sensations? (thanks, Nick)
- most likely others – we haven’t verified them yet, but you can help us by downloading the proof of concept above and running the APK
They encourage anyone to help by identifying more HTC phones are affected by running through their “proof of concept” and running the APK that they created. You can download the APK here.