The majority of Android phones and tablets are vulnerable to hijacking from malicious texts. An estimated 950 million mobile devices are vulnerable to attacks that could come from six vulnerabilities which have been found in Android. Photos or videos with malicious code can be sent to Android devices to take them over.
Joshua Drake from Zimperium zLabs discovered the vulnerabilities and Drake says some devices could be hijacked even if a message is not opened. Once inside of a device, hackers can record video and audio, view photos, and take over Bluetooth. There are few limits on what attackers could do, particularly on devices like the Samsung Galaxy S4 and LG Optimus Elite.
Google was told of the vulnerabilities in April 2015 and patches have been issued, but Drake says "all devices should be assumed to be vulnerable." With the way Android works, many manufacturers must patch their devices before the vulnerabilities are removed and it's not known which companies have fixed their devices.
The vulnerabilities are found in Stagefright, a piece of media playback software. Hackers can exploit the vulnerabilities by creating a Stagefright MMS that could then allow them to write code to a device.