Thanks to a security flaw, Android apps had the ability to take photos and record conversations without users knowing it.

According to a bombshell reportreleased Tuesday by cybersecurity firm Checkmarx, a major Android flaw gave attackers shockingly broad permissions to a phone without consent from users. The flaw, dubbed CVE-2019-2234, allowed an app developer to gain unparalleled access to a device’s camera, turning a user's phone into a spying device. Checkmarx was able to uncover all of these vulnerabilities through a fake weather app it created.

An attacker could silence the camera shutter to hide the fact that it was recording video and taking photos without consent. These actions could even be taken when the malicious app was closed, with the screen off and the phone locked.

The flaw also gave an attacker access to stored media on a device, as well as the GPS data on photos and videos in its library. And it allowed an app developer to eavesdrop on both sides of a phone conversation and record audio.

Yes, it gets worse. A phone’s proximity sensor could be used to let the attacker know when the phone was held up to a user’s ear for a phone call or when the phone was lying face down so the open camera app couldn’t be detected while taking photos or recording video.

An attacker was even able to upload images and video from the phone to a server if a user granted the app permission to access the device’s storage.

Checkmarx first discovered the flaw over the summer while researching the Google Camera app on a Google Pixel 2 XL and Pixel 3. Further investigation uncovered the same vulnerabilities in "camera apps of other smartphone vendors in the Android ecosystem," including Samsung.

Among the most startling aspects of this flaw is the fact that the attackers were able to access a phone’s camera and mic without a user first giving permission to the app. Even the recently viral Facebook bug, which forced the iPhone's camera open, required user permission before accessing the camera.

According to Checkmarx’s report, it first contacted Google about the flaw in early July. Samsung confirmed it was also affected by the vulnerabilities in late August. Both companies approved the publication of Checkmarx’s report this month.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” said a Google spokesperson in a statement provided to Checkmarx. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”

In a statement to Arstechnica, Checkmarx Director of Security Research Erez Yalon speculated that the flaw may arise from Google granting its voice assistant access to a device’s camera.

Besides Google and Samsung, it’s unclear how many, if any, other Android phone manufacturers were affected by the vulnerability.

With just those two companies, however, this flaw had the ability to affect hundreds of millions of smartphone owners around the world.

Android device owners can protect themselves by making sure their smartphones are updated to the latest version of the operating system.