Researchers at NC State University have discovered a new bug in current versions of Android that would allow malware to spoof the sender of an SMS message. The exploit works on Gingerbread, Ice Cream Sandwich, and Jelly Bean, Google has been made aware of the issue and will be releasing a security patch.
In the meantime, the team at NC State says they won't be releasing all the specifics of how it's done, but chances are someone will find it now that they know what to look for and what version changes to inspect. This means it's important that you trust any applications you plan on sideloading onto your Android device. Of course, users who pick up a Nexus 4 with the built-in sideload scanner are covered.
The bigger issue, as always, is how long it will take OEMs and carriers to push any fix out to their existing phones. Unfortunately, the answer is either "a long time" or never, so it's up to you to be vigilant. If you get an SMS message from your bank, or school, or anyone who asks for personal or login details, tap the phone icon and call them just to be on the safe side.