Aarti Shahani for NPR:
The bad guy creates a short video, hides the malware inside it and texts it to your number. As soon as it's received by the phone, Drake says, "it does its initial processing, which triggers the vulnerability."
The messaging app Hangouts instantly processes videos, to keep them ready in the phone's gallery. That way the user doesn't have to waste time looking. But, Drake says, this setup invites the malware right in.
If you're using the phone's default messaging app, he explains, it's "a tiny bit less dangerous." You would have to view the text message before it processes the attachment. But, to be clear, "it does not require in either case for the targeted user to have to play back the media at all," Drake says.
Once the attackers get in, Drake says, they'd be able do anything — copy data, delete it, take over your microphone and camera to monitor your every word and move. "It's really up to their imagination what they do once they get in," he says.
Also left to the imagination— when your carrier/phone maker might get around to pushing you the update with the already completed patches, because as the article highlights, "Android partnerships are complicated," which rougly translates to "put your phone in a bag and put that bag in a river."