I came across an interesting behavior while doing some research regarding what kind of information one can access on an HTC Desire Z Android phone. A simple application with no permission to reboot the phone managed to do just that by simply reading a specific file on the phone. This turned out to be a kernel bug that could, with the help of another more serious vulnerability, be triggered also remotely when user visits a malicious website. The problem seems to only affect HTC phones, the mainline Android kernel is apparently unaffected.
More here: https://www.nixuopen.org/blog/2011/2/remote-reboot-for-htc-android-phones/"
Link to Original Source