Google recently disclosed a now-fixed Android camera app exploit that allowed third-party applications to gain access to the camera of the smartphone along with stored media (images and videos).

The exploit was brought to light by a security research team at Checkmarx. The same team uncovered alarming vulnerabilities with Amazon’s Alexa and Tinder in the past. The most recent discovery was found affecting Google and Samsung smartphones.

These researchers found that when a third-party application requested access to storage, it was given access to the smartphone’s camera as well. This allowed the hacker to tap into the user’s phone and record videos and take images via the camera. It also gave the hacker access to geolocation data embedded in stored photos.

Checkmarx researchers said:

Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card. There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos. In fact, it’s one of the most common requested permissions observed.

To develop a proof of concept, the researchers created a mock weather application. The application requested only basic storage permissions from the users. As soon as permission was granted, the app was able to take photos and record videos on the victim’s smartphone. The whole process is shown in the following video.

The flaw was reported on July 4 to Google’s Android security team and the rest of the vendors were informed in August. Google rolled out a patch file for the issue soon after it was reported however, there is a high chance that users from other vendors (apart from Google and Samsung) are still receiving the update. Due to the broader Android ecosystem, hundreds of millions of smartphone users might face significant implications.