It works the usual way -- you make a payload that, when processed by a buggy code, executes itself. If the buggy code happens to be SMS packet parser, image decoder, text rendering, blocklist check or another 2 millions of things that happen to show you incoming SMS (or even better, flash message, or something not visible to user), then you don't have to click on it.

I mean if the bug in the browser, you have to visit the page to have the payload get to you, but it's a phone. A device for other people to contact you.