There's a serious flaw in all tested versions of Android, but Google doesn't seem to be in much of a hurry to fix it.
Researchers with Trend Micro's Zero Day Initiative said they reported the flaw to Google in March of this year. Google said in June that it planned to patch it, but when ZDI researchers checked in on Google's progress in late August, they were told there was nothing new to report.
ZDI publicly disclosed the flaw yesterday (Sept. 4) as part of its responsible-disclosure program. There is no fix for the flaw in Google's September round of Android security updates, released Tuesday (Sept. 3). It's not known whether the flaw is fixed in Android 10, which also came out Tuesday.
The flaw exists in the Video4Linux 2 (V4L2) package of drivers and software used for capturing video. It lets "local attackers" with low system privileges -- such as an installed app, or someone who borrows your phone -- "escalate privileges in the context of the kernel," or get full system control.
By itself, the flaw doesn't permit remote takeover via the internet, but it could be used by a malicious app downloaded from the Play Store or an "off-road" Android app store.
"Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service," the ZDI team wrote in its blog post. "Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it."
In plain English, that means be very careful about which apps you let record video. Go into Settings > Apps and Notifications > App permissions > Camera permissions and disable camera access to any app that you don't think needs to use the camera. (Your phone's settings menu may be different.)
As always, don't download any apps from off-road app stores, and be careful about what you do download from the official Google Play Store.