Over at Black Hat USA 2012, security researcher Ralf-Phillip Weinmann demonstrated a vulnerability in several Android devices that utilized A-GPS to send illicit messages to the device which could, he explained, be used to send a report of the device's location any time an A-GPS message was sent or even be used to gain complete control of the device.
In describing the attack, Weinmann pointed out that, for example, a malicious WiFi network could instruct a phone to relay all future A-GPS requests, even once the device has left the WiFi network's range. This even further drives home the point that you should not join any networks you don't trust. As always, practice safe networking.
Of course, Weinmann said that manufacturers and software developers could solve the problem, we're assuming (read: hoping) via a software update, but that as of right now, none have implemented a fix for the attack. It highlights, however, the need for devices to be updated much more speedily. OTA updates are a great tool for pushing software out to devices, but the road between a manufacturer discovering a vulnerability and software being pushed through to the carriers and on to the devices can be a long one.
Hopefully we'll see this vulnerability patched before any real damage is done, though Weinmann says he "wouldn't count on it until you buy the next-gen device." Sad times.