HTC Sneaks Spying App into Android 2.3.4 Phones

Looks like HTC has quietly slipped its users a spying app that tracks an alarming amount of user behavior and sends that data off to itself and perhaps others via a mysterious service in the cloud. The snooping app came nestled with the 2.3.4 Android update pushed out to some of its smartphones such as the Sensation 4G and EVO 4G.

TrevE and Team Synergy of the InfectedROM site (and XDA fame), discovered the app. HTC includes an application called Carrier IQ and Carrier IQ recently added a user-behavior logging feature called IQ Insight Experience Manager.

According to the Carrier IQ website: "IQ Insight Experience Manager uses data directly from the mobile phone itself to give a precise view of how users interact with both their phones and the services delivered through them, even if the phone is not communicating with the network. ... Identify exactly how your customers interact with services and which ones they use. See which content they consume, even offline."

But wait there's more. Turns out that after HTC collects these stats, CIQ isn't the only app with access to them. TrevE writes:

"CIQ is meant to monitor user activity and send logs off to wherever. Shortly after seeing this, team synergy went to work finding out exactly what was being done. ... Come to find out, CIQ is not the only part of android responsible for sending these stats. They get written out by framework to 4 major locations."

The four locations are ...

1- /data/system/appusagestats: Hosts a file that seems to collect every Android intent used on the phone. An intent is abstract description of an operation to be performed and is used, for instance, to launch activities. An intent is used to dial the phone, display the contact information and so on.

2- /data/system/usagestats - Team Synergy concluded that these are Google usage stats collecting much the same data as appusagestats and possibly sending this data somewhere else.

3- /data/system/userbehavior.db -- This looked to hold the IP address where the data is sent. They discovered two IP addresses in their phone going to Amazon cloud services.

4- /data/system/dropbox -- TrevE writes, "Now this is interesting, there were over 500 files in this directory. When we deleted everything in this folder and opened market, logcat reported errors looking for these files. Why is the market looking for these files on start?"

Do HTC users have the right to complain -- or even opt out of this snooping behavior? Apparently, not if the HTC license agreement is to be believed, points out Chris Chavez, on the Phandroid site.

He notes that users apparently are required to agree. Look at Settings > About Phone > Legal > HTC Legal and you'll find that HTC tells you it is collecting information. Each device has been allocated with "one or more unique identification numbers," the agreement says, It later adds: "HTC might share non-personal, aggregated information with selected third parties. However such information will not identify you personally." The privacy statement goes on like that for quite a few paragraphs, on the one hand explaining that it is gathering information, and that it reserves the right to share it, but  promising that the data won't be personally identifiable.

Now the good folks at Team Synergy have, of course, managed to kill off the app and remove it from the framework locations and have provided this code on a ROM. Unfortunately, ROM flashing and fiddling with system apps requires root access. And more unfortunately, as soon as you root your phone, the snooping app will know and could tell HTC, voiding your phone warranty.