"Brodeur created a special Android application that explores what data can be harvested from a device when the app has no permissions," writes Boy Genius Report's Dan Graziano. "The researcher found that his application was able to access the SD card, various system information and unique handset identification data."
"So, all this data can be accessed and grabbed by the app, but can it be transmitted to a remote location? Brodeur says yes," writes Help Net Security's Zeljka Zorz. "By using the URI ACTION-VIEW Intent network access call -- which can be made without permissions -- the app can open a browser and pass the data to it via GET parameters in a URI, and transmit large amounts of data by creating additional browser calls."
"This isn't the first warning about the problem of loose application permissions on Android," notes Threatpost's Paul Roberts. "Researchers from North Carolina State University designed a similar application in 2010 to highlight flaws in the Android permissions scheme. And, in December, 2011, Thomas Cannon, a researcher at security firm viaForensics demonstrated that an Android application without permissions could still give an attacker access to a remote shell on an Android phone, allowing them to run commands on the device remotely."