[dz0ny]

I think this is a bit misleading article. First in order to application to send SMS message or any other privileged action, it must declare that at install time (in manifest file). Second in order to send SMS and expose function to JS runtime, function must be of subclass of JavaScriptInterface class (pre JB), or you can use annotation if you are targeting JB+ devices.

This means function must be exposed and written before you can actuality use exploit. Bottom line you can't just send SMS from WebView just by "accident" :) And properly written applications should not expose that function in first place.

PhoneGap seem likely target for this exploit. Facebook, Instagram ... and many others not.

[trurl42]

That is wrong.

Pre JB you can run any function by using reflection, as is demonstrated in the example.

anyjavaobject.getClass().forName("android.telephony.SmsManager").. etc.