Android’s open-source nature is a double-edged sword that brings a lot of advantages and also countless security holes. Security research firm Checkmarx recently disclosed a disturbing discovery that affects Google and Samsung smartphones. The vulnerability enabled hackers and attackers to take control of the camera apps of the smartphone, take photos covertly, identify user’s location, record conversations, and record videos, to name a few.

Researchers at Checkmarx uncovered the vulnerability in the camera app of Google Pixel 2XL and Google Pixel 3. The vulnerability allows hackers to control the Samsung camera app and Google camera app using an application even if the user did not grant any special permission. The security research firm showed vulnerability by making a faux weather app that requested access to on-device storage.

Similar to all other shady apps, it employs a two-pronged strategy. While the app is harmless and does not activate Google Play Protect, when it is installed, it builds a connection with a remote server. Even if the user closes the app, it does not close the connection to the server, which allows the hacker to give commands.

Once executed, hackers can capture photos and record videos using the camera app of Google Pixel and Samsung smartphones without the knowledge of the owner since the microphone is muted. Additionally, it detects whether the user is on a call and can record the audio of the sender and the receiver. Hackers can also get unrestricted access to all on-device videos and photos.

The vulnerability was reported to Google in Jul. 2019 according to Checkmarx. The search engine giant identified the severity of the vulnerability as moderate and was later escalated to high after additional reports sent by Checkmarx. The following month Google acknowledged that the vulnerability affected a wide selection of OEM and informed them about it.

The search engine giant states that the issue was addressed on affected Google devices through a Play Store update on the Google Camera App released in Jul. 2019. Google also rolled out a patch to all impacted OEMs within the same month. At present, it appears that the issue has been fixed; however, there is no telling how many users lost their data because of the issue.