Security researchers have discovered a way to bypass an Android smartphone owner's permissions and access private data stored on their smartphone.

At worst, a black hat hacker can exploit these vulnerabilities to record phone calls (see proof of concept video below), wipe out your phone, call or text premium rate numbers, and read your private messages and emails, all without your permission, of course.

Quick background: Android's security architecture is "permissions" based, meaning an app needs the smartphone owner's explicit permission to access private data, such as contacts and text messages. If you reject an app’s request to access this information, the app won't install. Simple as that.

So for a long time, mobile security rule number one was to check what an app was asking permission to access. A wallpaper app needs to know your geolocation? Red light. An Angry Birds lookalike app is requesting your contacts' phone numbers? Avoid!

But according to the researchers, certain system configurations added on top of the Android OS by manufacturers, contain a backdoor to this personal information.

"These features are standard and make the phone more user-friendly,” said Xuxian Jiang, an assistant professor of computer science at NCSU. “They make the phones more convenient to use, but also more convenient to abuse.”

By the way, this differs from Carrier IQ's controversial data collecting firmware, which is embedded at the carrier's request.

The researchers developed a diagnostic tool called “Woodpecker” which analyzed pre-loaded software and explored the reach of a dangerous permission from a public, unguarded interface. In other words, Woodpecker checks for capacity leaks, where an app can gain access to a permission without actually requesting it.

Jiang and his team tested eight popular Android phones, all of which leaked varying amounts of information, which you can read more about in their white paper (PDF). The worst offenders were the HTC (Evo 4G, Legend, Wildfire S), followed by Motorola (Droid, Droid X), Samsung Epic 4G, and Google’s Nexus One and Nexus S.

Since April 2011, the researchers have been sharing their results with Google and handset manufacturers, and received confirmation of the vulnerabilities from Google and Motorola. However the researchers have "experienced major difficulties" in trying to report issues to HTC and Samsung.