Oh Jeez …
There is a flaw in Qualcomm’s Mobile Station Modem, a component in a vast number of Android phones from Google, Samsung, LG, Xiaomi, and OnePlus. The vulnerability is not in just one chip, the effected system handles a variety of tasks including voice, SMS, SIM unlocking and even some high-definition recording. This made the fix somewhat complex, while Qualcomm provided fixes to the companies back in December but as of yet those companies are not pushing it out to devices. The good news is that it will be part of the public June Android bulletin which should help with distribution.
The vulnerability is a heap overflow, which a malicious app could take advantage of to access the Qualcomm Mobile Station Modem and inject code into it. Unfortunately for users this code could well be undetectable and remain even after the malicious app was uninstalled. Once the code is running it would allow the attacker almost complete access to the microphone on the device, access to texts and could well even let them unlock the SIM to get around any limits your provider applies to their service.
Keep an eye out for updates, and install them as soon as you can since it is not clear which models can fall victim to this attack, nor which are already patched.