HTC screwed up big time here.  If you are using the stock HTC Sense UI(and most folks are) they have enabled a backdoor into the phones base operating system that essentially allows any app with simple permissions to sniff everything on or about the phone and send it back.  Android itself is not at fault HTC made modifications w of Android that caused this.

In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users’ devices, easier remote analysis, corporate evilness – it doesn’t matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.

That is not the case. What Trevor found is only the tip of the iceberg – we are all still digging deeper – but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

the list of user accounts, including email addresses and sync status for each

last known network and GPS locations and a limited previous history of locations

phone numbers from the phone log

SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)

system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails.

But that’s not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):

active notifications in the notification bar, including notification text

build number, bootloader version, radio version, kernel version

network info, including IP addresses

full memory info

CPU info

file system info and free space on each partition

running processes

current snapshot/stacktrace of not only every running process but every running thread

list of installed apps, including permissions used, user ids, versions, and more

system properties/variables

currently active broadcast listeners and history of past broadcasts received

currently active content providers

battery info and status, including charging/wake lock history

and more

via Massive Security Vulnerability In HTC Android Devices (EVO 3D, 4G, Thunderbolt, Others) Exposes Phone Numbers, GPS, SMS, Emails Addresses, Much More.