If the installed app doesn't have permission to access the Internet, it can launch a browser, which does. It can be set to launch the browser only when the screen is off and the phone is otherwise inactive, to keep activity covert.
It can also load its own URI receiver, which would allow it to communicate back and forth with a web site without having to launch a separate browser, the presentation said (PDF of slides, m4v video).
It can also make itself far more unkillable with the "Circle of Death" takeover tactic, in which the application runs as an Activity with a rejuvenation feature built into its shutdown process.
If the user kills the malicious Activity, on the way down it launches a Service that relaunches the original Activity, according to the Lookout presentation.
The No-permissions Reverse Shell – the app Cannon wrote to exploit the weakness – doesn't do anything wrong from the point of view of Android's security.
"We’ve exploited the Android Web Browser, although we are not exploiting a vulnerability due to bad coding, but rather using the functionality it legitimately offers to other applications," Cannon wrote.
The exploit is not malware or a virus. It wouldn't be caught by the kind of malware screen Apple gives iPhone apps in its App Store.
The exploit takes advantage of the assumption that apps will be honest in the requests they make for permission, that users will double-check what permissions they want and that none of the apps will do anything beyond the strict boundaries of the user's own expectations.
In a smartphone market in which even the carriers install high-functioning spyware to keep an eye on end users, that approach is painfully naïve.
Cannon wasn't trying to criticize Android security, or to crack it.
He was trying to prompt more discussion about how to structure permissions for Android apps and get users to pay attention.
That's a lost cause. Users won't pay attention. They can't or won't be responsible for their own security.