According to the security firm, if the users receives a 'specially-crafted' text message, hackers can then use the handset as a recorder and transmitter, which picks up audio within range of the device's microphone.
"You receive a specially crafted business card and once you open it, game over," Alex Fidgen, director MWR Infosecurity, told V3.co.uk.
"We were surprised to find the lack of security architecture we needed to exploit in the way that we did."
The security firm also revealed mobile phones running older versions of the Google Android operating system were vulnerable to a flaw that gives hackers access to login and passwords for sites visited using the phone's web browser.
Fidgens told IT Pro: "There is just too much evidence that security isn't being incorporated by the mobile phone companies into their software."
"We don't think mobile phone companies are really ready to deal with security issues."
Google said the flaw has been fixed in 'Froyo' - version 2.2 of the OS - although the bug isn't exclusive to Android handsets.
"This is a bug which is not exclusive to Android and that can only be triggered if users visit a malicious website or access a malicious Wi-Fi network via their mobile phone," he said.
"We are not aware of any users having been affected by this bug to date, and it has been fixed in the latest version of our Android software. As always, mobile phone users can protect themselves by only visiting websites and using Wi-Fi networks they trust."
Palm, which said the current version of webOS fixes the security vulnerability, told IT Pro it takes security very seriously.
"While we do not comment on specific security enquiries, we do thoroughly investigate any potential security risks brought to our attention," the company said.
"We have procedures in place for security researchers to responsibly report risks and we partner with them to make sure any vulnerabilities are addressed and pushed to webOS users via our over the air update system,"
Fidgen said the firm had discovered flaws in other mobile devices and will disclose more details in the coming months.
See also: HP seeks PalmPad trademark