Over 600 million Samsung smartphones are at significant security risk. It covers most of leading Samsung smartphones including recently released Samsung S6. This comes due to Samsung Pre-installed SwiftKey Keyboard app on Samsung devices.
Ryan Welton from mobile security specialists NowSecure discovered this risk on Samsung Pre-installed SwiftKey keyboard app which looks for language pack updates over an unencrypted line. Samsung Pre-installed SwiftKey keyboard software could allow a hacker to execute code as a privileged (system) user to gain access to the device and the user’s network. If this security bug in the keyboard is exploited, the attacker could install malicious apps, eavesdrop on calls, and access the phone’s GPS, camera, microphone, photos and messages. There is nothing for user to do much for removing this security flaw from their devices. User cannot uninstall or disable SwiftKey App. Even if SwiftKey App is not set as default keyboard app on user’s device, it is vulnerable to attack.
This security risk on Samsung Pre-installed SwiftKey keyboard software was discovered on December 2014 and was told to Samsung by NowSecure. Even then Samsung smartphones are still vulnerable to attack. Samsung immediately worked on a patch and sent updates to various carriers for devices running Android 4.2 or higher in March 2015. However, it is unknown whether these patches have made their way to devices.
According to swiftkey blog -
“This vulnerability is unrelated to and does not affect our SwiftKey consumer apps on Google Play and the Apple App Store.
We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue.
The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”
NowSecure spokesperson said that this does not mean users can simply download a fresh version of SwiftKey from Google Play or Apple App Store. To remove vulnerability Samsung smartphones still require a carrier upgrade .