A vulnerability which could allow remote attackers to obtain data from Android devices has been discovered and made public by Thomas Cannon, a researcher from the United Kingdom. Full technical details have been withheld; however, the vulnerability is due to the manner in which content is handled during downloading and stored on the device's SD card. The location of downloaded files and some file names are either known or predictable. A demonstration video is provided of an attack utilizing malicious HTML content. Such malicious content can be delivered to the potential victim through email or a web server, however, the actual malicious code needs to be executed locally on the device. Cannon notes that data available to an attacker is limited to the content of the SD card and certain files on the device as the attack does not use root access and runs within the Android sandbox. Cannon informed the Android Security team of the issue prior to publishing his blog article and he reports that a fix for the issue will be provided in an upcoming maintenance release, an initial patch having been developed and currently being tested. Some workarounds are provided in the blog article.

We noted in yesterday's assessment that devices such as smartphones will often have sensitive personal and business data on them and any vulnerabilities which potentially allow an attacker access to files on such a device should be taken very seriously. We encourage users of such devices to implement device or file encryption options or solutions to minimize the risk of data exposure. While the workarounds provided in Cannon's blog posting are not vendor provided, we do urge users to familiarize themselves with them.

http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/
http://www.h-online.com/open/news/item/Android-vulnerability-permits-data-theft-1141200.html