This is a pretty scary attack, though I haven’t had the time to dig into the paper to see how widespread it may be (and my Android background probably isn’t deep enough to grasp all the implications). However, the demos are impressive.

Briefly, the attackers load an unprivileged application, which requests network access and nothing more. That application then exploits weaknesses in the operating system to collect data on the state of the user interface, from which they are able to actually extract sensitive information.

The blog ends with an assertion that similar issues may exist on OS X, iOS, and Windows, though it’s unclear if they’ve actually proven this yet. The Mactans talk at Black Hat last year demonstrated something similar on iOS, though I’m not certain if the two teams would be describing the same problem.