I recommend a variety of smart phones for budget conscious friends of mine (Lumia 52X and Android variants being among them). However, in light of recent proof of concept tools that can exploit obvious vulnerabilities I am forced to not only stop recommending Android, but actively discourage the use of version 4.1 and lower (4.2 has a patch, check availability).
Every OS has vulnerabilities the question is how easily can the black hats trick you into falling into the exploit, and then what data is at risk. This particular attack vector is as wide and deep as you can imagine and the tools to take advantage of it are now readily and easily available. While Google has been rather slow in patching even the later versions of Android, this tardiness has been compounded by the lack of perceived value carriers get from pushing updates to users (I would argue that security and trust is the value, but will not do so here).
My recommendation if you own one of these devices
is to change it is to visit only the most trusted websites, and of course, be very careful of the apps you download.