Researchers from North Carolina State University have discovered a number of vulnerabilities in smartphones running Google's Android operating system that allows hackers to record phone conversations and even wipe data without the user's permission.

The paper published by researchers Michael Grace, Yajin Zhou, Zhi Wang and Xuxian Jiang showed that handsets sold by HTC, Samsung, and Motorola contain code that can be exploited by untrusted applications. These "explicit capability leaks" can bypass key security defenses to access personal information and functions like test messaging without asking the user's permission.

"We believe these results demonstrate that capability leaks constitute a tangible security weakness for many Android smartphones in the market today," the researchers wrote in a paper that will be presented next year at the Network and Distributed System Security Symposium. "Particularly, smartphones with more pre-loaded apps tend to be more likely to have explicit capability leaks."

The researchers created a diagnostic app called Woodpecker and ran in eight Android phones: the HTC Legend, EVO 4G, and Wildfire S; the Motorola Droid and Droid X; the Samsung Epic 4G; and the Google Nexus One and Nexus S. They analyzed each pre-loaded application on each phone to look for "capability leaks" which could be exploited by malicious applications without requesting permission from the device user.

The researchers found that the phones had "explicit" capability leaks that allow applications to bypass the security measure of asking for the user's permission. There were also "implicit" leaks that allow other applications to piggy-back on other applications to inherit their permissions with the same digital certificate. The researchers focused on finding out if sensitive user information such as geo-location, access to address books and sending SMS messages could be exploited with the leaks.

The results were troubling. The researchers found that 11 of 13 privileged permissions were explicitly leaked by pre-installed apps. The most vulnerable smartphone was HTC's EVO 4G which leaked eight functions including text message service, audio recorder, GPS location finder, and camera. HTC's Legend leaked six functions while Samsung's Epic 4G had three leaks. Google's Nexus One and Nexus S contained one leak.

Apps downloaded from the official Android Market can be installed with the user's permission over what sensitive resources it will access. Unfortunately some manufacturer enhancements on Android can allow an app to be installed without the user's permission. The researchers showed how an app they designed was able to access audio-recording and SMS functions on an EVO 4G without getting permission from the user. The app was able to turn on a recorder or send unauthorized text messages.

The researchers said they had shared their results with Google and other handset manufacturers. Google and Motorola had confirmed the vulnerabilities in their handsets but HTC and Samsung "have been really slow in responding to, if not ignoring, our reports/inquiries." The researchers warn that other Android handsets could be vulnerable to attacks.