Backdoor Found in HTC EVO & Sprint Hero, Exploited to Gain Root Access

The development team calling themselves unrevoked discovered an executable binary called skyagent in the HTC EVO and the Sprint Hero. A second executable binary called hstools was also found in the HTC EVO. In addition to other capabilities, both binaries allowed access to the root of the phones’ file sytsems.
File this in the “this isn’t exactly new but now we know how it all went down” category. The skyagent binary could be used as a backdoor into each phone “allowing control of the device without the user’s knowledge or permission.” Skyagent was executable by any user without requiring elevated permissions. Once skyagent was invoked it would listen for commands over a TCP port on “all interfaces, including the 3G network.” The commands that unrevoked discovered are:
  • sending and monitor user tap and drag input (“PentapHook”),
  • sending key events (“InputCapture”),
  • dumping the framebuffer (“captureScreen”),
  • listing processes (“GetProc”),
  • rebooting the device immediately,
  • and executing arbitrary shell commands as root (“LaunchChild”)

It was skyagent that unrevoked used for their 1-click root method that can be found at

Likewise, hstools was another executable binary that could be used to pass command input to the phone with root permission. Hstools was exploited by unrevoked after skyagent was removed by the EVO launch-day OTA update.

Unrevoked makes a point to mention that they do not believe that either HTC or Sprint had any malicious intent with regards to these two vulnerabilities. It is believed that skyagent was a debugging binary that was never removed from the phone before official release. Unrevoked goes on to praise Google, HTC, and Sprint for their efforts in patching the vulnerabilities and provides a timeline of events:

  • 31 May 2010 23:53:08 EDT: Google security notified about skyagent
  • 01 Jun 2010 03:53:30 UTC: Automated Google response
  • 01 Jun 2010 16:45:46 UTC: Response from Google Security Team
  • 02 Jun 2010 23:18:31 EDT: Sprint security contacted about skyagent
  • 03 Jun 2010 01:18:58 CDT: Sprint response
  • 04 Jun 2010: Sprint OTA update removingskyagent binary.
  • 30 Jun 2010: Sprint OTA update patchinghstools vulnerability.

Source: unrevoked

About author

AndroidGuys 4641 posts

Founded on November 5, 2007, we've enjoyed bringing you the latest in Android news and rumors. Updated daily, we strive to deliver reviews, opinions, and updates on all things related to Android.

You might also like

Get This Look!

Get this look for your Android smartphone: Nexusonic

One of our absolute favorite things about Android is the fact that you can bend and tweak the platform to your needs.  Sure, there’s rooting and modding for deep level

News and Rumors

Potential T-Mobile Comet Successor Outed in FCC Documents

Recently uncovered FCC documents indicate that T-Mobile and Huawei me be working together on another handset. The filing shows the phone to have support for T-Mobile’s AWS bands among other decent sounding specs. The carrier currently offers the Huawei “Comet” as part of their pre-paid stable so this IDEOS X6 could be a potential successor.

News and Rumors

Flash Player Updated; Nothing Major

Adobe released a small update to Flash Player for Android. There’s nothing major in this update, as it’s most likely just to fix some bugs and improve performance.


  1. yohan
    July 11, 04:32 Reply

    that's must fix it as soon as possible :)

  2. eka
    July 11, 02:12 Reply

    thank you for info..

Leave a Reply