Security researchers at Google and Amnesty International discovered hackers exploiting the bug in an active hacking campaign.