Samsung's dialing protocol allows arbitrary access to some system features, including
factory reset. This can be exploited trivially, by link, text, or QR code.
The tel protocol is generally used with phone numbers to provide clickable "call me" links on websites: tapping on the hyperlink in the handset's web browser opens up the dialling software and calls the number contained in the link. Such calls aren't made until the fandroid presses a "dial" button, so security is maintained - but some numbers don't require "dial" to be pressed, and it's those which are exploited in this attack.
The best example of an executing number - aka an unstructured supplementary service data message - is *#06#: enter that into just about any GSM phone and it will display the IMEI, the device's serial number. But, importantly, it will do that without one pressing the "dial" button.
That's benign, but try entering *2767*3855# on a Samsung Galaxy S3 and you'll be rewarded with an impossible-to-cancel factory reset before you can say shudda-bought-an-iPhone.
The good news is this should be trivial to patch -- just require a Dial press for system feature access, even if nothing's actually being dialed.
But in the meantime, if you've got a Samsung phone you may want to back up your shit just in case. As the article notes it's not a particularly likely target for widespread attacks since the days of purely-destructive computer attacks are largely behind us, but just in case...