I recommend a variety of smart phones for budget conscious friends of mine (Lumia 52X and Android variants being among them). However, in light of recent proof of concept tools that can exploit obvious vulnerabilities I am forced to not only stop recommending Android, but actively discourage the use of version 4.1 and lower (4.2 has a patch, check availability).

From Dan Goodin:

The WebView vulnerability allows attackers to inject malicious JavaScript into the Android browser and, in some cases, other apps. In turn, it helps attackers gain the same level of control as the targeted program. The easiest way to exploit the bug is to lure a vulnerable user to a booby-trapped webpage. Within seconds, the site operator will obtain a remote shell window that has access to the phone's file system and camera. In some cases, the exploit can also be triggered by performing a man-in-the-middle attack while the victim is on an unsecured Wi-Fi network. By hijacking the app's update process, attackers can gain control over the same resources already granted to the app, including permissions such as access to SD cards and geographic data.

Every OS has vulnerabilities the question is how easily can the black hats trick you into falling into the exploit, and then what data is at risk. This particular attack vector is as wide and deep as you can imagine and the tools to take advantage of it are now readily and easily available. While Google has been rather slow in patching even the later versions of Android, this tardiness has been compounded by the lack of perceived value carriers get from pushing updates to users (I would argue that security and trust is the value, but will not do so here).

My recommendation if you own one of these devices is to change it is to visit only the most trusted websites, and of course, be very careful of the apps you download.