A critical bug in Facebook Messenger for Android has been fixed. The bug made users able to listen to other users' surroundings without their permission, before the person on the other end picked up the call.
The vulnerability has been abused by the attackers by sending a special message called SdpUpdate, that would cause the call to connect to the attacker's device before the victim has answered the call.
According to Facebook, "the bug could have allowed a sophisticated attacker logged in on Messenger for Android to simultaneously initiate a call and send an unintended message type to someone logged in on Messenger for Android and another Messenger client (i.e. web browser)."