HTC is updating some of its Android phones to address a security vulnerability which could allow malicious apps to steal Wifi security information. In a post on its official support site, the manufacturer says that many of the affected handsets have already been updated over-the-air, however some may require a manual update.
On an affected device, the bug in question could allow an Android application with the innocuous-sounding "ACCESS_WIFI_STATE" permission to access Wifi passwords for any network the phone's connected to. According to security researchers Chris Hessing and Bret Jordan, who originally discovered the vulnerability, phones affected by the bug include --
- HTC Desire HD (Froyo, Gingerbread)
- T-Mobile myTouch 4G (Froyo)
- HTC Desire S (Gingerbread)
- HTC Sensation (Gingerbread)
- HTC EVO 3D (Gingerbread)
- HTC Droid Incredible (Froyo)
- HTC Thunderbolt 4G (Froyo)
TheNextWeb reports that Hessing and Jordan discovered the issue in September 2011, but worked with Google and HTC to track down the root cause and develop a fix before going public. That's why we're just hearing about this for the first time today.
As HTC says, if your device is affected, it's likely already been updated with the fix over-the-air. The manufacturer says to check back next week for more information on a manual patch for certain handsets. In any case, we're not too worried about this latest security scare, and we don't think you should be either. If you were affected, chances are you already have the fix. And after all, stealing a Wifi password is among the less menacing things a malicious app could do.