The problem stems in part from the way the provisioning works. While it supports provisioning through relatively secure methods like PIN codes, it doesn't require them. And it's usually down to individual vendors to decide how to implement this format rather than platform creators like Google, leading to inconsistent security. Affected Samsung devices, for instance, don't need any authentication at all to fall victim.

This variety also affects how secure your device is. Some vendors have been better at addressing the problem than others. Samsung fixed the flaw through a May update, while LG released its patch in July. Huawei, however, said it wouldn't deliver interface fixes until the next wave of Mate and P-series phones. You might have to wait weeks or months to get a solution, if you get one at all. Sony, meanwhile, reportedly "refused to acknowledge" the flaw and would only say that it followed the Open Mobile Alliance spec. Your Xperia might remain vulnerable unless there's a change of heart.

This wouldn't be as much of an issue if it weren't for the scale of the issue and the relative ease of launching attacks. Combined, the vendors represent more than half of all Android phones. And all you need to instigate the attack is a GSM modem (or phone in modem mode) and basic software to compose the messages. You can protect yourself by refusing these messages, but this could be a significant problem unless more Android vendors fall in line.