According to this news report in The Register more than 99% of Android phones can leak secret account credentials.
The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany’s University of Ulm said. After a user submits valid credentials for Google Calendar, Contacts and possibly other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.
This vulnerability exists in Android 2.3.3 and earlier versions of the smart phone operating system. The problem is that the authentication token generated by Android is sent in cleartext (without encryption) and on top of that it can be used for up to 14 days after being generated, hackers can easily use it to log into your various online accounts.
Although Google has released a patch to solve this problem it only works for Android 2.3.4 and Android 3.0. Which means 99% of these phones are still vulnerable.