Any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

• the list of user accounts, including email addresses and sync status for each last known network and GPS locations and a limited previous history of locations
• phone numbers from the phone log SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
• system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

This PC emulator is written in Javascript. The emulated hardware consists in: a 32 bit x86 compatible CPU a 8259 Programmble Interrupt Controller a 8254 Programmble Interrupt Timer a 16450 UART. The code is written in pure Javascript using Typed Arrays which are available in recent browsers. It was tested with Firefox 4 and Google Chrome 11 on Linux, Window and Mac (it does not work with Chrome 12 beta. As far as I know, it is a bug in the browser). In any case, a fast Javascript engine is needed to have good performance.