A bug quietly reported on September 1 appears to have grave implications for Android users. Android Browser, the open source, WebKit-based browser that used to be part of the Android Open Source Platform (AOSP), has a flaw that enables malicious sites to inject JavaScript into other sites. Those malicious JavaScripts can in turn read cookies and password fields, submit forms, grab keyboard input, or do practically anything else.
Browsers are generally designed to prevent a script from one site from being able to access content from another site. They do this by enforcing what is called the Same Origin Policy (SOP): scripts can only read or modify resources (such as the elements of a webpage) that come from the same origin as the script, where the origin is determined by the combination of scheme (which is to say, protocol, typically HTTP or HTTPS), domain, and port number.
The SOP should then prevent a script loaded from http://malware.bad/ from being able to access content at https://paypal.com/.