HTC Phones Vulnerable to Wi-Fi Stealing Android Apps
The HTC Evo 4G.
A security risk exists on some HTC phones that could allow an attacker to harvest the smartphone user's Wi-Fi password by deploying a malicious Android app.
Discovered by researchers Chris Hessing and Bret Jordan, the glitch can expose the user's Wi-Fi credentials to any program that requests basic Wi-Fi permission. If an HTC owner were to download a malicious Android app built specifically to harvest user data, the results could be disastrous.
"When this is paired with the Internet-access permissions, which most applications have, an application could easily send all stored Wi-Fi network credentials (user names, passwords and SSID information) to a remote server," the researchers explained.
The HTC devices at risk of exploitation are: Glacier; Droid Incredible; Thunderbolt 4G; Sensation 27103 and 4G; Desire S and HD; EVO 3D and 4G. MyTouch 3G and Nexus One phones are not affected, the researchers said.
HTC has acknowledged and developed a fix for what it called the "small Wi-Fi issue affecting some HTC phones." Most phones, HTC wrote on its website, have already received the fix through regular updates and upgrades; "However, some phones will need to have the fix manually loaded." The HTC site contains instructions on how to upgrade your phone.
The researchers said they found the bug in September, but publicly disclosed it only after allowing Google and HTC to address it and issue a fix.
This story was provided by SecurityNewsDaily, a sister site to TechNewsDaily.