Dan Goodin writing for Ars Technica
An attack wouldn't be completely surreptitious. The screen of an exploited device would display the camera as it recorded video or shot an image. That would tip off anyone who was looking at the handset at the time the attack was being carried out. Still, the attack would be able to capture video, sound, and images at times when a phone display was out of eyesight, such as when the device was placed screen down. The app was able to use the proximity sensor to determine when the device is face down.
Google and Samsung have released fixes, but it's impossible to know how many handsets out there remain vulnerable to this exploit.