A team at MWR Infosecurity has uncovered a zero-day flaw in the Palm Pre operating system which allows the handset to be used as a bugging device.
Alex Fidgen, director of MWR, told V3.co.uk that a specially crafted text message can subvert Palm's webOS completely.
The flaw allows the phone to be used as a recorder and transmitter for anything within its microphone's range.
"You receive a specially crafted business card and, once you open it, game over," said Fidgen. "We were surprised to find the lack of security architecture we needed to exploit in the way that we did."
Palm's security systems do not use sandboxing in this case, unlike the security precautions seen in Google's code, Fidgen explained.
Palm, now part of HP, did not return requests for comment.
MWR also disclosed a flaw in older versions of the cross-platform WebKit layout tool which could allow an attacker to harvest user log-ins and passwords for sites visited on a handset.
The vulnerability has been fixed in Android 2.2, a Google spokesman told V3.co.uk.
"This is a bug which is not exclusive to Android and that can only be triggered if users visit a malicious web site or access a malicious Wi-Fi network via their mobile phone," he said.
"We are not aware of any users having been affected by this bug to-date, and it has been fixed in the latest version of Android. As always, mobile phone users can protect themselves by only visiting web sites and using Wi-Fi networks they trust."
The best Black Friday deals on smart home devices
Intel plans to halt support for BIOS
Foxconn is no longer offering overtime to interns
Samsung just can't keep up with its American rival, according to some