Bleeping Computer
Facebook fixed a critical flaw in the Facebook Messenger for Android messaging app that allowed callers to listen to other users’ surroundings without permission before the person on the other end picked up the call.
Facebook Messenger for Android has been installed on more than 1 billion Android devices according to the app’s official Play Store page.
Attackers could have exploited this bug by sending a special type of message known as SdpUpdate which would cause the call to connect to the callee’s device before it was answered.
If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee’s surroundings, explains Natalie Silvanovich, a researcher part of Google’s Project Zero bug-hunting team.