Security researchers have gone public with details of a security flaw that, they say, could impact over 600 million Samsung mobile devices worldwide – including the recently released Galaxy S6.
The problem, claim researchers at security firm NowSecure, lies inside the SwiftKey keyboard pre-installed with Samsung devices.
If successfully exploited, the vulnerability could lead to attackers remotely accessing your device to spy through its camera or microphone, track your physical location via GPS, install malicious apps without you knowing, steal information and even eavesdrop on your messages and voice calls.
Worst of all, the threat is compounded by the fact that the keyboard cannot be disabled or uninstalled, and even if the SwiftKey keyboard is not the default keyboard on your Samsung device, it can still be exploited.
In other words – it’s potentially a massive security risk.
So what precisely is the problem with the Swiftkey keyboard pre-installed on Samsung devices?
Well, Nowsecure researchers claim that the keyboard updates itself by downloading a ZIP archive of new files via an unsecured, unencrypted HTTP connection rather than HTTPS. The authenticity of the update is not checked, meaning that an attacker could potentially intercept the download – perhaps when a target is using a malicious WiFi hotspot – and send the phone malware instead, bundled inside the archive.
The update process has system-level access, giving the attackers the ability to overwrite files on the Samsung smartphone, injecting malware.
NowSecure says that it informed Samsung of the issue in late 2014, and has also informed the Google Android Security team.
And although Samsung is thought to have begun providing mobile operators with a patch for the so-called “Samsung stock keyboard using the SwiftKey SDK” in early 2015, it is difficult for mobile device users to know if their carrier has patched the problem and many customers could still be at risk:
“It is unknown if the carriers have provided the patch to the devices on their network. In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.”
SwiftKey has responded to the news reports of the vulnerability, putting the blame at Samsung’s door:
“We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue.”
“The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the userâ€™s keyboard is conducting a language update at that specific time, while connected to the compromised network.”
SwiftKey says that its standalone keyboard apps, available in the Google Play and iOS App Store, are not affected by the vulnerability, but that is little consolation for the at-risk Samsung users. Sorry Samsung phone owners, but downloading a safe version of the app from the Google Play store won’t help you.
In the meantime, while you wait for confirmation from your mobile phone carrier as to whether you are protected or not, you might be wiser to always ensure that you are using a VPN to encrypt your internet connection. In fact, that’s probably a good idea regardless in this day and age.