The flaw was discovered by insecurity researcher Thomas Cannon and in his spare time he also posted a "proof of concept exploit" using Android 2.2 on an HTC Desire smartphone.
It's only possible to retrieve data from the SD card on smartphones if the directory path is already known.
"However, a number of applications store data with consistent names on the SD card, and pictures taken on the camera are stored with a consistent naming convention," said Cannon. That means hackers can easily access the data.
Though Cannon used Android 2.2 on an HTC Desire smartphone for proof of concept, the exploit will work on any smartphone running any version of Android. However, the flaw runs in the Android sandbox so it's not a root exploit and thus can't be used to steal any file from a phone, only those on the SD card.
Cannon has already alerted Google's Android Security Team, which is working on a fix, but he thinks the fix will still leave a huge number of users vulnerable.
"Not all OEMs are providing Android OS updates to all of their devices, and the ones that are we have seen are not always doing it in a timely fashion," he said.
"There may be legitimate reasons for this but the bottom line is there will still be a great deal of devices exposed for quite some time or perhaps forever." µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted