Sometimes it only seems like your smartphone is recording you, like when you say something about Oreos and then lock eyes with an eerily similar Facebook ad moments later. Other times, your phone just leaves the door open wide for determined hackers to record you without ever asking for permission.
That second scenario might not be quite as common, but researchers at security firm Checkmarx say they discovered a serious flaw involving the Android camera app earlier this year.
As reported by Ars Technica, the researchers say they were able to create a proof-of-concept application that looked like a weather app and only asked for permission to access Android device storage. Taking advantage of the flaw, the researchers say they could silently take pictures, record video and audio, check whether the phone was facing down, record calls, and access the device’s location via GPS data included in photos. And while there appears to be no proof this vulnerability was abused in the wild, the researchers were able to upload everything they recorded to a remote server.
Google tells Fast Company that it addressed the issue for “impacted Google devices”—aka Pixel phones—back in July. And Samsung says it has “released patches to address all Samsung device models that may be affected,” but the company did not say when it released its fix, Ars Technica reports.
Google said in its statement that its “patch has also been made available to all partners,” but it wouldn’t say whether any Android devices from other manufacturers are still affected today. Unfortunately, some devices might be, according to Checkmarx. Ars Technica shared a how-to for technically savvy users who want to see if their device is still vulnerable.