An estimated 950 million Android phones are exploitable using a flaw known as "Stagefright".  https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960

Quoted Text

..exploits could be particularly insidious given the fact that an attacker need only use a malicious MMS message that could trigger the vulnerability without user interaction, and delete the message before the victim is aware. All an attacker would need, Drake said, is the device’s phone number.

The problem is that even though Google can patch their version of the Android OS, most cell phones run a custom version produced by their vendor/reseller.  Many of those companies have been notoriously bad at keeping their firmware up to date with Google's.