According to a recent research conducted at the University of Ulm in Germany, 99 percent of Android smartphone users are vulnerable to be easily attacked, every time they log into a website on a unsecured network.
Handsets running on Android version before 2.3.3 are open to an attack due to a weak ClientLogin authentication protocol.
This surely is a bad signal for all Androiders. All Android based smartphone users who sign into a service such as Facebook, Twitter or other account login screens, the authToken information is usually stored for 14 days. For the attack to take place, the authToken collector can setup a wifi access point with a common SSID of an encrypted wireless network, such as CoffeeStar. With the default settings over your Android phone, it automatically connects to a previously previously known network with many of the apps attempt to sync immediately.
A research detailed:
To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks…With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.
An attack was attempted over an Android smartphone which resulted in a success. Basically the reason of this successful attempt was the "security hole" which Google only fixed with the release of Android 2.3.4, released a few weeks back.
Read more about Biggest Security Fails of 2010