An exploit has been discovered in a media library that affects all Android phones from version 2.2 to the present version 5.1.1. A specially crafted Multimedia Messaging Service (MMS) message could run code on the victims smartphone without any user interaction. Google has issued a patch, but no patches have been pushed to any devices.
A known workaround is to disable auto-retrieval for MMS messages and then to only download messages from known contacts. Disabling auto-retrieval varies between different messaging apps and phone, but the process should be similar. Open your messaging app. Go to Settings> Advanced Settings> Uncheck the box next to Automatically Retrieve MMS messages
There is no know exploit code in the wild, but there will be a presentation about this exploit at the BlackHat conference next week.
Additional information can be found at
http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/