Samsung phones vulnerable to keyboard app hack, 600M affected

If you bought a Samsung phone within the last 2 or 3 years, chances are you need Samsung to plug a vulnerability found within the pre-installed keyboard from 3rd party developer SwiftKey. With this pre-installed keyboard found in almost all Samsung devices produced between 2012 and now, the number of phones with this vulnerability is expected to be around 600 million units. Yes, it’s that bad.

The vulnerability was discovered by Ryan Welton, mobile security researcher for a software security outfit called NowSecure. The company has since informed Samsung of this vulnerability, around December 2014. Samsung has begun pushing out patches to mobile networks in March 2015, but it is not possible at this point to know which carriers have pushed the patches to their subscribers.

The vulnerability happens when SwiftKey, the pre-installed keyboard app that is given high execute privileges by Samsung, requests for language updates (which can happen periodically every four hours or so from the time you first used the pre-installed keyboard). From here, an attacker can ride the upstream/downstream data and finally accomplish any one of these – either access sensors and resources like GPS, camera and microphone, or secretly install malicious app(s) without the user knowing, or tamper with other apps or the operating system, or even eavesdrop on incoming/outgoing messages or voice calls, and lastly, gain access to personal data like pictures and text messages. That is really, really bad and scary.

The vulnerability exists even if you forego the use of SwiftKey and use a third-party keyboard, the pre-installed app will still query for updates. The vulnerability also exists even without user action. We really hope Samsung finds a way to patch this fast. For help on how to reduce risk, check out the source link below.

SOURCE: NowSecure