A flaw has be uncovered in Android smartphones that lets hackers infiltrate cameras without users’ knowledge – effecting hundreds of millions of users.

Security experts discovered several vulnerabilities on two different Pixel smartphones that lets attackers bypass permissions.

Using a rogue application, the team was able to grab data from the camera, microphone as well as GPS location without consent.

The flaw, dubbed CVE-2019-2234, was uncovered by researchers from security firm Chexmarx, which let gain access to a device’s camera, transforming the harmless device into a spying nightmare.

Scroll down for video

Security experts have discovered several vulnerabilities on two different Pixel smartphones that lets attackers bypass permissions. One of the smartphones used in the test was a Pixel 3 (pictured)

‘In order to better understand how smartphone cameras may be opening users up to privacy risks, the Checkmarx Security Research Team cracked into the applications themselves that control these cameras to identify potential abuse scenarios,’ Checkmarx shared on it is website.

‘Having a Google Pixel 2 XL and Pixel 3 on-hand, our team began researching the Google Camera app, ultimately finding multiple concerning vulnerabilities stemming from permission bypass issues.’

‘After further digging, we also found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem – namely Samsung – presenting significant implications to hundreds-of-millions of smartphone users.’

The team was able to successfully store media on devices and access the GPS location on images and videos in the library.

The flaw let developers silence the camera, so users will not know it is active

And the smartphone’s proximity sensor lets hackers know when the user is talking on the device or when it is laying down -allowing them to use the camera app without being spotted

The flaw also allowed them to listen in on both sides of phone conversations and record them –again, without users knowing.

And the smartphone’s proximity sensor lets hackers know when the user is talking on the device or when it is laying down -allowing them to use the camera app without being spotted.

A developer was even able to upload images and video from the phone to a server if a user granted the app permission to access the device’s storage.

To demonstrate the flaw, Checkmarx designed a proof-of-concept app that doesn’t require any special permission beyond the basic storage permission.

‘The malicious app we designed for the demonstration was nothing more than a mockup weather app that could have been malicious by design,’ the firm explained.

‘When the client starts the app, it essentially creates a persistent connection back to the C&C server and waits for commands and instructions from the attacker, who is operating the C&C server’s console from anywhere in the world.

Using a rogue application, the team was able to grab data from the camera, microphone as well as GPS location without consent

‘Even closing the app does not terminate the persistent connection.’

Google has responded to this test from Checkmarx in a statement: ‘We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure.’

‘The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019’.

‘A patch has also been made available to all partners.”