A YouTube video of the HTC Android phone hack
[A]ny app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:
- the list of user accounts, including email addresses and sync status for each
- last known network and GPS locations and a limited previous history of locations
- phone numbers from the phone log
- SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
So if you give an app INTERNET permission, like you might do to let it submit your high scores in a game to the game's web site, it's possiible for a rogue app to take advantage of this permission and extract all sorts of interesting information from your phone – information that you probably didn't expect it to be able to get.
Here's a YouTube video of this hack being carried out.