40% of Android phones have modem vulnerability allowing an attacker to listen in to your calls
6

A vulnerability discovered by security firm Check Point Research (via AndroidPolice) could allow a malicious app to skip the usual security features giving it access to call and text history. It also gives an attacker the ability to record conversations.
The Qualcomm Modem Interface (QMI) software is normally impossible for third-party apps to access, but if key aspects of Android are hacked, the QMI vulnerability can be used to listen in and record an active phone call, and as we already pointed out, steal call and SMS records.
Check Point revealed all of this to Qualcomm last October calling it a high-rated vulnerability. The chip maker told the phone manufacturers that use Qualcomm's modem chips. So far, the vulnerability has not been fixed and we can only hope that Qualcomm and Google will patch this in a future security update.

Older version of Qualcomm's 5G-modem chip
However, Qualcomm says that it did made fixes available to "many" Android phone manufacturers last December and that these firms passed along security updates to end users. The vulnerability will be part of the June Android bulletin.
Things that are NOT allowed: