This astonishing conclusion comes from researchers with the University of Ulm in Germany, who claim it all comes down to Android's fragmentation as an operating system.
This issue, Infosecurity notes, stems in part from the fact that the smartphone and tablet operating system is open source, which effectively means anyone can develop apps for platform.
The researchers found that any Android device using 2.3.3 or lower has poor clientlogin authentication protocols, meaning that accessing online services like Facebook allows the login credentials to be stored for 14 days, during which time hackers can attack the smartphone or tablet computer.
According to the German research team, they wanted to know if it is really possible to launch an impersonation attack against Google services and started their own analysis.
"The short answer is: Yes, it is possible, and it is quite easy to do so. Further, the attack is not limited to Google Calendar and Contacts, but is theoretically feasible with all Google services using the ClientLogin authentication protocol for access to its data APIs", they said in their security blog.
The attack vector, they added, is very similar to stealing session cookies of websites (sidejacking).
"We tested this attack with Android versions 2.1 (Nexus One), 2.2 (HTC Desire, Nexus One), 2.2.1 (HTC Incredible S), 2.3.3 (Nexus One), 2.3.4 (HTC Desire, Nexus One), and 3.0 (Motorola XOOM) and with the native Google Calendar, Google Contacts, and Gallery apps (or respective synchronisation services)", the researchers explained.
The implications of this vulnerability, the go on to say, ranges from disclosure to loss of personal information for the calendar data.
"For contact information, private information of others is also affected, potentially including phone numbers, home addresses, and email addresses. Beyond the mere stealing of such information, an adversary could perform subtle changes without the user noticing", the researchers detail in their notes.
"For example, an adversary could change the stored email address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business", they note.
The good news is that later versions of Android have the problem fixed, Infosecurity notes, meaning that if users update to Android 2.3.4 or later, they will be immune from the problem.