A security flaw in Android's operating system made it possible for malicious apps to hijack a user's smartphone camera, record video and audio, and upload those clips to an external server without the person's knowledge.
Google and Samsung have patched the flaw in their devices, but Google said other Android devices could still be vulnerable, according to Checkmarx. It's not clear how many users were affected.
"We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure," a Google spokesperson told Business Insider in an email. "The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."
A Samsung spokesperson told Business Insider the company has also released patches to address the issue since being notified by Google.
"We recommend that all users keep their devices updated with the latest software to ensure the highest level of protection possible," the spokesperson said.
Checkmarx developed a proof-of-concept app in order to test a worst case scenario for exploiting the security flaw. Researchers found that their malicious app could easily bypass a security restriction meant to prevent apps from accessing an Android camera without permission.
In addition to secretly recording audio and video, their app was able to track metadata like the GPS location where videos were taken.
"We also found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem ... presenting significant implications to hundreds of millions of smartphone users," Checkmarx research head Erez Yalon wrote in the firm's report.