HTC admitted the risk and promised to release the patch very soon after investigating. The company said "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly."
Though HTC has not confirmed about the affected models, researchers suspect that HTC EVO 3D, EVO 4G, Thunderbolt, EVO Shift 4G, MyTouch 4G Slide, some of the Sensation line, and even the upcoming line of Vigor are open to the risk.
The flaw is named as "android.permission.INTERNET." Researchers who exposed the risk explained that an important file, which contains a huge amount of personal data related to call history, emails, GPS and SMS data with much more other things, can be accessed by an app by virtue of requesting permission from the user to access the internet.
One of the researchers, Trevor Eckhart shared a video on his channel about the flaw.
Researchers advised that until HTC patches the vulnerability, users with rooted HTC mobile phones can manually delete the logging tool found at /system/app/HtcLoggers.apk.
Users are advised to avoid downloading any "suspicious apps" that might exploit this security flaw. HTC also urges its users to "use caution when downloading, using, installing and updating applications from untrusted sources".