Charlie Miller, Mark Daniel, and Jake Honoroff of Independent Security Evaluators identified and exploited a security vulnerability in the Android operating system. There is a an open security flaw in the browser that allows a malicious web abduction where the malicious web code can run a limited attack.
The New York Times reports that Rich Cannings a Google security engineer said, "We wanted to sandbox every single application because you can't trust
any of them," and said
that the company had already fixed an open-source version of the
software and was working with its partners, T-Mobile and HTC, to offer
fixes for its current customers.
Independent Security Evalutors are not telling what they did until a fix is made. They say it was due to the fact not all the latest software upgrades were used in the the T-Mobile G1.
T-Mobile released this statement "Google is
working on a browser software patch for Android. We are coordinating with
Google on a plan to soon deliver this update over-the-air to customers' G1
devices. For people currently using the phone, we do not believe this matter
will negatively impact their experience with the device."
An update was released on Friday October 31, that is being sent to G1 phones over the air.