A security researcher named Joshua Drake has recently discovered a critical flaw in Android's media playback tool which allows a potential attacker to take complete control of your device with a simple text. Once inside, the attacker will have unrestricted access to all the data saved in your handset (credit card numbers, personal messages, private photos, contacts, etc.). According to Mr. Drake (who works for Zimperium's zLabs), the vulnerability has not been exploited just yet, but approximately 95% of existing Android phones are affected by it.
If you're curios to find out exactly what this vulnerability is and how it can be exploited, I'll try to give you the short version. Malware can be hidden inside a video which is sent to someone as a message. Android phones use a service called Stagefright which automatically processes the videos to prepare them for viewing, and the malicious code can get in during that processing stage. This means that, in case if you are using the standard Android app for messages, you can get infected simply by reading the message, even without launching the video. Even worse, if you're using Hangouts to manage your messages, you will be infected even if you don't open the message, as the app automatically processes all the incoming texts.
Just so you know, Mr. Joshua has actually discovered the flaw back in April and notified Google about it, but unfortunately, there's not much that the company can do to solve the issue. Why? Because the IT giant doesn't control the way phone makers like Samsung, Huawei, LG, etc and carriers push updates to their customer's phones. According to the security researcher, he has already sent Google a patch to fix the vulnerability which the IT giant has accepted, but Mr. Drake believes that only about 20 to 50% of the devices currently in use will actually get the update.