A vulnerability in HTC Android software of recent vintage could allow a malicious app with ordinary permissions to gain access to extensive logging information about the phone, according to a blog entry at Android Police.
HTC customized its Android environment with a feature called Tell HTC, which keeps extensive logs on the phone and sends them to HTC. The feature is turned on by default. Most systems have such agreements these days and the data is used to improve service. The data is, however, extensive and could be used in various attacks, generally identity theft attacks.
The vulnerability was discovered by hacker Trevor Eckhart. Eckhart's proof of concept app shows some of the data recovered:
Eckhart describes the bug as a security elevation bug, but it's better termed an information disclosure bug. The problem is that HTC has made logging information available without appropriate permissions.
The Android Police blog also explains how to root your phone in order to remove the logging application.
When an Android user installs an application, the app presents a list of permissions it requests. At this point the user must judge whether he trusts the application with those permissions. The proof of concept application written by Eckhart requests only "Network communications - full Internet access" permission, which is normal for any application that communicates over the Internet.