An attacker hacking into your Android phone’s camera app to view your surroundings and record yourself is a scary thought but more likely than you probably think. A recent report published by Israeli security research firm Checkmarx reveals that Google and Samsung’s camera app contains vulnerabilities that, when exploited, could allow an attacker to take full control of the app even if the permissions application (for storage, location, etc.) are locked.

In a detailed report and video released a few days ago, Checkmarx researchers demonstrate that their mockup app, a seemingly harmless weather app, has successfully hijacked the default camera app on a Google Pixel 2 XL running Android. 9 Pie. The video shows that Checkmarx’s app was able to record videos, take photos, bypass camera app permissions, access stored media, and retrieve user location via the GPS metadata of the media file.

The report mentions that this type of hijacking is also possible with Samsung’s camera app. The report goes on to mention that Google responded by acknowledging the problem and advising Checkmarx that a fix had already been sent in July earlier in the year. “The issue was resolved on affected Google devices through a Play Store update to the Google Camera app in July 2019. A fix has also been made available to all partners.”

In the video, the researchers also show a real-life scenario in which this type of attack could be dangerous for the user and their data. In the video, an assailant is seen telephoning the victim. When the victim places the phone against their ear, the attacker runs the mock hijacking app to record video through the phone’s rear camera. The recorded video captures sensitive data displayed on the user’s external screen, thus allowing the attacker to steal data using the hacking application.