A security researcher ,Paul Brodeur, from Leviathan Security Group, has created a proof-of-concept app called "No Permissions" that demonstrate how an android application which doesn't ask for any security permission is still able to access to your sensitive data.
Usually, whenever android user try to install an app, a screen will be displayed to asks users to approve the permission requested by app. The purpose of Android Permissions is to let you know exactly what information an app maker is harvesting from your device, so you can make an informed decision over whether or not you want to install it. An app needs your permission to do even trivial tasks like performing network access, keeping the device awake.
According to Paul's research, even an Android app with zero permissions are able to access the sensitive data from your devices. His app which doesn't ask for any permissions is still able to access files on SD card, files stored by other apps and handset identification data.
In order to send collected information to the criminal, app will need INTERNET permission. Unfortunately, there is one network call that can be made without any permissions.
"the URI ACTION_VIEW Intent opens a browser. By passing data via GET parameters in a URI, the browser will exfiltrate any collected data. In my tests, I found that the app is able to launch the browser even after it has lost focus, allowing for transmission of large amounts of data by creating successive browser calls." researcher explained.
He tested the app against Android 4.0.3 and Android 2.3.5. If you are curious to know the capabilities of the app, then you can download it from here.