Updated: SwiftKey vulnerability puts 600 million Samsung Galaxy smartphones at risk
According to a report from NowSecure, a critical vulnerability in the default SwiftKey keyboard app that comes preloaded on some Samsung Galaxy smartphones puts more than 600 million smartphones at risk.
The security company says that the Android and iOS versions of the SwiftKey app available through the official app stores do not come with this vulnerability, meaning that the security risk only affects Samsung smartphones that come with the app pre-installed.
NowSecure discovered the vulnerability last year, and informed Samsung of the flaw back in December 2014. Unfortunately, although the smartphone maker has allegedly issued a patch to carriers across the globe since the vulnerability was discovered, NowSecure claims that most carriers have yet to roll out the patch. In the US, the Verizon and Sprint versions of the Samsung Galaxy S6
, the T-Mobile Galaxy S5
, and the AT&T Galaxy S4 mini
are still unpatched, while the status of other phones is currently unknown.
According to NowSecure, the default SwiftKey keyboard app can be used by a potential attacker to "remotely execute code as a privileged (system) user". Fortunately, attackers will be able to hack a phone only if the handset is connected to an insecure Wi-Fi network. You can read all the technical details by heading over to the source link below.
Hackers who manage to exploit this vulnerability will be able to do all sorts of damage. Examples include accessing the GPS coordinates, the camera, or the microphone, installing malicious apps without the user's knowledge, intercepting both messages and voice calls, or gaining access to the locally-stored files such as photos.
As SwiftKey cannot be uninstalled from the Samsung Galaxy smartphones that use it as the default keyboard app, and the vulnerability is not limited to when you're actually using the app, NowSecure says that Samsung Galaxy smartphone owners should avoid insecure Wi-Fi networks, or use a different mobile device altogether until the vulnerability is patched.
Update: Samsung reached out to us to announce that it will soon patch the vulnerability through Knox. Read the full statement below:
Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security. Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.
Update 2: In a another statement, Samsung claims that there's no proof of any Samsung smartphone being exploited to take advantage of this vulnerability. Here is the full statement:
The likelihood of making a successful attack, exploiting this vulnerability is low. There have been no reported customer cases of Galaxy devices being compromised through these keyboard updates. But as the reports indicate, the risk does exist and Samsung will roll out a security policy update in the coming days. This vulnerability, as noted by the researchers, requires a very specific set of conditions for a hacker to be able to exploit a device this way. This includes the user and the hacker physically being on the same unprotected network while downloading a language update. Also, on a KNOX-protected device there are additional capabilities in place such as real-time kernel protection to prevent a malicious attack from being effective.