The Android based G1 (or Google) phone sold exclusively in the states by T-Mobile apparently executes typed text entered in any text entry box including on a web page or in the address book. Handsets running Android release 1.0 TC4-RC29 or earlier are affected by this flaw. What makes matters worse is the fact that the commands are executed as the "Root" user. Due to the Open Source nature of the Android OS, the bug was caught by users and traced down to a few lines of code in the init.rc system file.
To try this out:
"...Save anything you’re working on (this will reboot your phone!), open the keyboard tray on your G1, ignore anything you see on the screen, and type these 8 keystrokes: <return>-r-e-b-o-o-t-<return>. Poof, your phone will reboot. This only works on a real phone, not in the emulator, and only with firmware version 1.0 TC4-RC29 and earlier.
From the home screen select Menu > Settings > About phone, and look for the Build number (near the bottom). If you see this...