Security firm Checkmarx has announced a serious flaw in Android that allows rogue apps to access the camera, as well as the microphone.

Director of Security Research Erez Yalon and Senior Security Researcher Pedro Umbelino authored the post detailing their findings. In short, rogue apps on Google and Samsung phones, and in the Android ecosystem in general, could access the camera, take photos, record videos, access stored photos and videos, as well as use the GPS metadata in photos to locate a user.

“After a detailed analysis of the Google Camera app, our team found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so. Additionally, we found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data. This same technique also applied to Samsung’s Camera app.

In doing so, our researchers determined a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off. Our researchers could do the same even when a user was is in the middle of a voice call.”

That last part is especially concerning, as it means rogue apps can access the camera without the user realizing it. This opens up a world of possibilities for surveillance, both visual and audio, comprising a person’s privacy at best and corporate or government security at worst.

The researchers were quick to praise both Google and Samsung for their quick and professional response, and both companies have fixed the issue with their devices. Unfortunately, other vendors are also affected and it is unknown to what extent they have addressed the vulnerability.