A link in a text message may link to something bad, the same as any other link anywhere else.
A link in a text message will probably open your (web) browser (Chrome, whatever) when clicked on (touched, whatever). Web sites may ‘contain a virus’, but that is less common than it used to be. Web sites may offer you a pdf or doc to download, which may ‘contain a virus’, or may lead you somewhere to enter your credit card and ID to ‘verify your identity’ – which is just as bad or worse than ‘getting a virus’.
Text messages themselves can crash or own your phone – just like a virus. Any modern phone should be immune.
‘Text messages’ may themselves be web pages – as well as SMS there is another common protocol that is used for sending messages that contain photographs. A message that contains a photograph may also contain something else that ‘is a virus’, but again this is not common – if someone knew a way to do this that worked well on common modern phones, it would either be extremely common, or a deep secret.
Although all of these things, and more, have happened in the past, they don’t often happen on devices with up-to-date software. What does happen is that someone follows a link, and it’s either a dead end, or some really old virus, or somewhere to ‘enter your credit card details’ or ‘enter your password’.
Ideally websites would not be able to put malware on your system, due to various checks. Modern browsers would either block or at least ask you about any downloads, and there would need to be a bug in the browser to do anything else. And most use some sort of bad sites list to mark sites that might cause harm to your computer.
That said, there’s little reason to ever click an unsolicited link. It wiol most likely be spam, a scam or fishing attempt, or something else undesirable.
New vulnerabilities are always being found in operating systems, software, drivers, etc - whilst systems are certainly, in a general sense, more resistant to running foreign code than they were, say, in the 1990s*, there are still, and will continue to be, ways for bad things to happen on a single click of a link. I’ve dealt with the aftermath of quite a number of such things, which managed to do damage, extract data or hijack permissions on a single click, on systems that were fully patched and running well-respected antimalware solutions.
It’s true that the significant majority of spam links will be simple phishing where they take you to a site that impersonates something else, to try to trick you into handing over passwords, personal details, financial info, etc, there is a minority of link attacks that are attempting more direct assault on systems or software.
In the past couple of years, I’ve seen:
A single-click attack that went to a sharepoint site running in MS Azure, which just looked like a blank browser page, but took control of the user’s Office 365 account, sent mails from their account, and stole their contacts and mailbox contents.
A single-click attack that was a cross site request forgery targeting YouTubers - when clicked, it added the attacker as a manager to their channel, with full permissions (the attacker could their shut them out of their own channel and hijack it for their own use)
*In some ways, it can be worse than it used to be - for example, it’s not uncommon now for mobile platforms to have configuration such as ‘always open this kind of link in the Zoom Meetings App’ etc - which means attackers can potentially directly target vulnerabilities in third party apps quite easily.