North Carolina State University researchers say that many Android phones include apps that can be used by hackers to bypass Android's security features.
"Some of these pre-loaded applications, or features, are designed to make the smartphones more user-friendly, such as features that notify you of missed calls or text messages," says assistant professor Dr Xuxian Jiang.
"The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential 'backdoors' that can be used to give third-parties direct access to personal information or other phone features."
The researchers tested eight different smartphone models, including two 'reference implementations' that were loaded only with Google's baseline Android software.
"Google's reference implementations and the Motorola Droid were basically clean," says Jiang. "No real problems there."
However, HTC's Legend, EVO 4G and Wildfire S, Motorola's Droid X and Samsung's Epic 4G all had significant vulnerabilities, with the EVO 4G the worst offender.
"If you have one of these phones, your best bet to protect yourself moving forward is to make sure you accept security updates from your vendor," says Jiang. "And avoid installing any apps that you don't trust completely."
He's notified the vendors of the flaw, and now plans to check other smartphone models for the same vulnerabilities and find out whether they're shared by third-party firmware.