That's the conclusion reached by researchers at the University of Ulm, in Germany, who have found that any phones running a version of Android prior to 2.3.3 are vulnerable due to a weak ClientLogin authentication protocol.
Basically, any time an Android user signs into a service like Twitter, Facebook or a new Google account, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, the information is left wide open for thieves to steal.
Take it away, researchers:
"To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks...With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing."
Google patched the security hole earlier this month with the release of Android 2.3.4, but any version prior still transmits sensitive data through unencrypted channels. That means that more than 99 percent of Android handsets are vulnerable to the attacks.
Apps that use ClientLogin should immediately start doing so over encrypted, https channels, the researchers said.
What can you do for now? A verizon spokeswoman said users should consider using their devices only on secured networks.
More on this as the story develops...