An Android vulnerability allowing malware to obtain user data including login credentials, location and photos, was found on all versions of Google’s operating system, placing its 500 most popular apps at risk, mobile protection specialist Promon Security stated.

The flow let the bug, named StrandHogg, imitate any legitimate app, enabling hackers to read and send text messages, track location, and make and record phone conversations. They could also spy on user activity through the phone camera and microphone, the Norway-based company said.

Promon Security found the 500 apps ranked as the most popular by intelligence company 42 Matters were at risk of being affected.

In a statement, Google said it had suspended the potentially harmful apps identified by Promon Security and commenced an investigation, BBC News reported.

This is the latest warning about security flaws in Android: in July, the University of California Berkely announced it found thousands of apps have the ability to circumvent Android’s permissions system and gain access to sensitive user information.

In November, Google partnered with security companies ESET, Lookout and Zimperium to help it screen new apps for malware prior to their publication.