Recently, a new exploit that can attack Android devices came to light. Called Quadrooter, the hack is actually a set of four different related exploits. The exploits, all targeted at Qualcomm chips, use a malicious app that the user is tricked into installing in order to gain root access. From there, the attacker has total control of the device and can pull whatever data they want from it, or even use the device remotely for whatever they please. Quadrooter is being dealt with on a number of fronts; Google has patched protections against all four versions of Quadrooter into their "Verify Apps" feature, which means that the exploit will not find its way into the Play Store. Qualcomm has already fixed all four of the issues on all chips going forward, and Google has patched up three of the four exploits in their August security update, with the final hole set to be plugged in September's update.
As with any Android vendor these days, Sony gets most security updates to its devices a bit later than Google puts them out, despite receiving them early to work on updates. They also do not update any phones that are past their end of life, leaving owners of older devices to either turn to the community for custom ROMs with updated Android features and security, or deal with insecure software. On the matter of Quadrooter, Sony responded to customer inquiries by stating that they were aware of the bug, and that they are working on getting the latest Android security patches out in updates to relevant devices in their stable as soon as possible.
Sony is actually pretty good about keeping some older phones up to date, and about sending out security patches soon after they hit, which means that most users will have nothing to worry about. In the mean time, and for those using legacy devices, Sony has advised users to stay out of suspicious app stores and only obtain apps from trustworthy sources. For most Sony devices, this will mean sticking exclusively to the Play Store, where the vulnerabilities are already null and void. Those who absolutely must sideload should wait for the security updates, which have not been given a time frame for release just yet.