This vulnerability makes a large number of Android applications act as a hacker pipeline into user’s devices and provides a way to install malicious software, send SMSs and more.
WebView allows the user to view a web application (or just a web page) as a part of an ordinary Android application.
The WebView class is an extension of Android’s View class that allows you to display web pages as a part of the appication’s screen layout. It does not include any features of a fully developed web browser, such as navigation controls or an address bar.
If you do not provide the annotation, the method is not accessible by your web page when running on Android 4.2 or higher.
What you should do?
As developers you should not assign unsafe functions.
As users you should try not to download suspicious mobile applications from third party markets and avoid clicking on suspicious links coming from strangers.
Users can be infected when they click on a URL link using a vulnerable application that allows opening a Java enabled browser or web page.
Here’s an example,
The webpage used to generate this attack:
September 16, 2013