Security researchers of the security group at the Free University of Amsterdam found a hole in Android. The scoop in Dutch [volkskrant.nl] - news is 10hrs old at time of writing, I didn't find an English source yet. Heck, the university hasn't even put out a press release, even though this is currently making a splash in the Dutch news.
In short, the researchers hacked the user's (desktop) browser and then installed (via this browser) a malicious app on the phone.This gave them basically full control over the phone: turning camera on/off, replacing installed apps with malicious versions, intercepting text messages, etc. In fact, they used this to reduce a common version of two-factor authentication (know password and have phone) to only one factor: they managed to intercept verification codes (text messages) sent by a bank.
The problem is not in a specific version of Android, but in the deep integration between Google's websites and Android. Google has been made aware of the problems late 2014, but has yet to publicly reply.