HTC is updating some of its Android phones to address a security vulnerability which could allow malicious apps to steal Wifi security information. In a post on its official support site, the manufacturer says that many of the affected handsets had already been updated over-the-air, however some may need to be updated manually in the future.
On an affected device, the bug in question could allow an Android application with the innocuous-sounding "ACCESS_WIFI_STATE" permission to access Wifi passwords for any network the phone's connected to. According to security researchers Chris Hessing and Bret Jordan, who originally discovered the vulnerability, the following devices are affected –
- HTC Desire HD (Froyo, Gingerbread)
- T-Mobile myTouch 4G (Froyo)
- HTC Desire S (Gingerbread)
- HTC Sensation (Gingerbread)
- HTC EVO 3D (Gingerbread)
- HTC Droid Incredible (Froyo)
- HTC Thunderbolt 4G (Froyo)
According to TheNextWeb, Hessing and Jordan discovered the issue in September 2011, but worked with Google and HTC to track down the root cause and develop a fix before going public, hence why this is only coming to light now.
As HTC says, if your device is affected, it's likely already been updated with the fix over-the-air. The manufacturer says to check back next week for more information on a manual patch for certain handsets. In any case, we're not too worried about this latest security scare, and we don't think you should be either. After all, stealing a Wifi password is among the less menacing things a malicious app could do.
- HTC: Fix is on the way for security flaw
- Google responds to Wallet hack, recommends not installing it on rooted devices
- Zvelo takes issue with latest Google Wallet update, says service still vulnerable
- Google responds to Google Wallet hacking claim, points out the obvious
- Google Play anti-malware system has potential security hole, Google’s probably patching it now