There are some limitations to the exploit, mainly that the third-party must know the names of the files they wish to steal. However, since many devices follow standardized naming patterns for files like photos and videos, that may not be too great a reach after a little research. Cannon describes the process as follows:
- The Android browser doesn’t prompt the user when downloading a file, for example “payload.html”, it automatically downloads to /sdcard/download/payload.html
The flaw has been independently verified by Heise Security, and right now the best advice is to be wary of suspicious looking websites, HTML links in emails from users you don’t know, or unexpected downloads suddenly popping up in the Android notification bar. Given Android 2.3 Gingerbread won’t be available to all devices after it launches, users still need to be careful until their phone is updated.