It works like this: the Android browser doesn't prompt you for permission when it downloads a file. It then saves the file on your SD card, from which it can run JavaScript locally without permission. That JavaScript can then expose your data.
The discovery was originally made by Thomas Cannon, who found that these exploits gained access to whatever is stored on the SD card. For many, that just means music and apps, but it could also include personal photographs, or even sensitive business or personal information.
On the upside, the exploit isn't capable of mining just anything on your device. It has to know the name of what it's looking for, but that could still include ubiquitously named folders like "Music" and "Photos".
The Android team is working on a fix for Gingerbread (Android 2.3), which is expected to be announced on December 6th. Especially considering not all devices will be upgraded to Gingerbread at the outset, you should be wary of suspicious or unknown websites until you receive the update.
source: Android Community via SlashGear
Android Data Stealing Vulnerability from Thomas Cannon on Vimeo.
