A Metasploit module has been developed to easily exploit a dangerous flaw in 75 percent of Android devices that allows attackers to hijack a users' open websites.
The exploit targets vulnerability (CVE-2014-6041) in Android versions 4.2.1 and below and was disclosed without fanfare on 1 September, but had since gathered dust, according to researchers.
Tod Beardsley (@TodB), a developer for the Metasploit security toolkit dubbed the "major" flaw a "privacy disaster".
http://www.theregister.co.uk/2014/09/16/three_quarters_of_droid_phones_open_to_web_page_spy_bug/
At least I'm running 4.4.4 however it does make you think that if you do buy say an Android phone that it's life maybe limited by software updates. I think don't buy cheap but be prepared for an expensive purchase to become vulnerable a couple of years down the line.
Theoretically all phones are vulnerable now... it's just that the vulnerability hasn't been discovered (or, if it has, disclosed) yet.