Smith/HTC Loggers UI

Overview:
HTCLoggers.apk was a logging controller present in many HTC devices.

I provided a PoC code/demonstration on how this application was flawed here – http://infectedrom.com/showthread.php/559-Vunerability-1-Android-Security-Elevation

On 10/25/2011 patches pushed to american carriers removing this apk from many devices.  On sprint alone HTC EVO™ 4G, HTC EVO™ 3D, HTC EVO Shift™ 4G, HTC EVO Design 4G™, HTC EVO View 4G™ and HTC Wildfire S™ were effected. (source)

*Update* HTCLoggers.apk is back in newer versions of sense as Smith.apk with different signatures.  It is also using unix domain sockets instead of TCP ports.


How it works:
App responsible:
/system/app/HtcLoggers.apk

Where it writes to:
/data/data/com.htc.loggers/

Ports Opened: (see more at original PoC report)
TCP Port 65511 – htcloggerd from /data/data/ path.  Commands accepted
:getservices: – lists other listening services

LogCTL Port:
:help:
:getpath:
:bugreport:
:dumpsys:

Logcat Entries:

The following menus were available, and even though they claim are disabled, logcat entries showed otherwise:

D/HL:htcloggerd( 1335): uevent [change@/devices/platform/htc_battery/power_supply/usb]
D/HL:htcloggerd( 1335): uevent [change@/devices/platform/htc_battery/power_supply/ac]
D/HL:htcloggerd( 1335): uevent [change@/devices/platform/htc_battery/power_supply/battery]
D/HL:htcloggerd( 1335): uevent [remove@/devices/system/cpu/cpu1/cpufreq]
D/HL:htcloggerd( 1335): uevent [offline@/devices/system/cpu/cpu1]