The attack focuses on the browser in older, Android 2.1-and-earlier versions of the phones. Keith's code targets the WebKit browser engine used by Android. When a user visits a website that contains his attack code, he is able to run a simple command line shell in Android.
According to the article:
Because Android walls off different components of the operating system from each other, Keith's browser exploit does not give him full, root access to a hacked phone. But he can access anything that the browser can read ... That means that Keith's attack probably couldn't be used to read or send SMS messages or make calls, but it could snatch photographs from the phone or snoop on someone's browsing history.
Google says it is aware of the vulnerability in WebKit.