pixel 3 vs pixel 4 Antonio Villas-Boas/Business Insider

A security flaw in Google’s Android lets malicious apps access users‘ camera and microphone to secretly record them and upload the videos to an external server.

The flaw, uncovered by Checkmarx and reported by Ars Technica, also allowed hackers to track metadata like the GPS location where videos were recorded.

Google has patched the flaw for its Pixel phones and Samsung has done the same for its devices, but other Android devices could still be vulnerable, according to Checkmarx.

Visit Business Insider’s homepage for more stories.

A security flaw in Android’s operating system made it possible for malicious apps to hijack a user’s smartphone camera, record video and audio, and upload those clips to an external server without the person’s knowledge.

The flaw was uncovered by the cybersecurity firm Checkmarx in July, and its findings were published Tuesday, Ars Technica first reported.

Google and Samsung have patched the flaw in their devices, but Google said other Android devices could still be vulnerable, according to Checkmarx. It’s not clear how many users were affected.

„We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,“ a Google spokesperson told Business Insider in an email. „The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.“

A Samsung spokesperson told Business Insider the company has also released patches to address the issue since being notified by Google.

„We recommend that all users keep their devices updated with the latest software to ensure the highest level of protection possible,“ the spokesperson said.

Checkmarx developed a proof-of-concept app in order to test a worst case scenario for exploiting the security flaw. Researchers found that their malicious app could easily bypass a security restriction meant to prevent apps from accessing an Android camera without permission.

In addition to secretly recording audio and video, their app was able to track metadata like the GPS location where videos were taken.

„We also found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem … presenting significant implications to hundreds of millions of smartphone users,“ Checkmarx research head Erez Yalon wrote in the firm’s report.

Here’s how to check whether your Android device is vulnerable:

Update your phone’s apps. A patch has been rolled out for all Pixel and Samsung devices, so making sure your software is up-to-date is the best way to ensure you’re protected. On Pixel phones, navigate to Settings > Apps and Notifications > Camera > Advanced > App Details. If the app has been updated since July, you’re safe. If you have an Android device that isn’t a Pixel or Samsung, run the command listed here. If doing so forces your phone to record a video, you’re exposed to the vulnerability.

You can read the full report on Checkmarx’s site.