Google has acknowledged a now-patched security flaw (CVE-2019-2234) in Android phones that enabled third-party apps to bypass the camera permissions by using storage permissions.
Security researchers were able to design and implement an app which exploited the flaw. The researchers proved that basic storage permissions could be used by attackers to access to the users’ camera, and video, remotely record calls, and use the data location information within photos to locate the phone . This could be done even when the phone was locked with the screen turned off.
You can watch a video demonstrating this below :-
Keeping your apps and operating systems up to date is an effective way of maintaining security on your devices. The easiest way to do this is to turn on automatic updates, if you can.
You can read the complete report on this issue, by Pedro Umbelino, Senior Security Researcher (Checkmarx Security) , here.