According to the findings, only three phones "properly" enforced Android's permission-based security model.
The conclusion is that Google's Nexus One and Nexus S phones with baseline Android configurations as well as the Motorola Droid "were basically clean." However, pre-installed applications added by manufacturers and carriers add a substantial risk of successful malicious attack to phones, Xuxian Jiang, an assistant professor of computer science at NCSUand co-author of a paper describing the research, said.
HTC’s Legend, EVO 4G and Wildfire S, Motorola’s Droid X and Samsung’s Epic 4G revealed "significant vulnerabilities." The EVO 4G was the most vulnerable phone with eight leaked permissions in the test. The Legend and the Wildfire had six leaks each, followed by the Wildfire and Droid X with four leaks each.
"Some of these pre-loaded applications, or features, are designed to make the smartphones more user-friendly, such as features that notify you of missed calls or text messages," said Jiang. “The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential 'backdoors' that can be used to give third-parties direct access to personal information or other phone features."
The researchers said that they notified the software vendors of the discovered vulnerabilities prior to the release of the report and recommend that users should keep up with security updates from software vendors to protect themselves from attacks.