Updated: SwiftKey vulnerability puts 600 million Samsung Galaxy smartphones at risk

Updated: SwiftKey vulnerability puts 600 million Samsung Galaxy smartphones at risk
According to a report from NowSecure, a critical vulnerability in the default SwiftKey keyboard app that comes preloaded on some Samsung Galaxy smartphones puts more than 600 million smartphones at risk. 

The security company says that the Android and iOS versions of the SwiftKey app available through the official app stores do not come with this vulnerability, meaning that the security risk only affects Samsung smartphones that come with the app pre-installed.

NowSecure discovered the vulnerability last year, and informed Samsung of the flaw back in December 2014. Unfortunately, although the smartphone maker has allegedly issued a patch to carriers across the globe since the vulnerability was discovered, NowSecure claims that most carriers have yet to roll out the patch. In the US, the Verizon and Sprint versions of the Samsung Galaxy S6, the T-Mobile Galaxy S5, and the AT&T Galaxy S4 mini are still unpatched, while the status of other phones is currently unknown. 

According to NowSecure, the default SwiftKey keyboard app can be used by a potential attacker to "remotely execute code as a privileged (system) user". Fortunately, attackers will be able to hack a phone only if the handset is connected to an insecure Wi-Fi network. You can read all the technical details by heading over to the source link below. 

Hackers who manage to exploit this vulnerability will be able to do all sorts of damage. Examples include accessing the GPS coordinates, the camera, or the microphone, installing malicious apps without the user's knowledge, intercepting both messages and voice calls, or gaining access to the locally-stored files such as photos.

As SwiftKey cannot be uninstalled from the Samsung Galaxy smartphones that use it as the default keyboard app, and the vulnerability is not limited to when you're actually using the app, NowSecure says that Samsung Galaxy smartphone owners should avoid insecure Wi-Fi networks, or use a different mobile device altogether until the vulnerability is patched.

Update: Samsung reached out to us to announce that it will soon patch the vulnerability through Knox. Read the full statement below:

Update 2: In a another statement, Samsung claims that there's no proof of any Samsung smartphone being exploited to take advantage of this vulnerability. Here is the full statement:

source: NowSecure



1. BobbyBuster

Posts: 854; Member since: Jan 13, 2015

Beauty of Android: OEM specific bugs/vulnerabilities IN ADDITION to the common ones.

3. -ARTE-

Posts: 80; Member since: Jun 14, 2015

Just tried sending it to my own iPhone using iMessage. I have a sneaking suspicion Apple is filtering iMessages as it never arrived when other messages did.

4. -ARTE-

Posts: 80; Member since: Jun 14, 2015

Speculation elsewhere that this is in part because iOS inherits NextStep's UTF-16 internal encoding and inadvertently truncates one of the 32-bit Arabic characters halfway when trying to add an ellipsis where it calculates it needs to chop the text. The effect of the invalid UTF-16 data (yes, it was validated upon receipt, but then it was broken) is an infinite loop in the decoder, which overspills the end of memory, rather than the buffer ever having been mapped at zero. Apple doesn't put user-space memory at 0x00 since neither C nor Objective-C has a formalised syntax for optional returns so 0x00 is used for return nil/NULL.

14. meanestgenius

Posts: 21784; Member since: May 28, 2014

Beauty of knowing you're a troll: Everyone knows that everything you say is BS.


Posts: 65; Member since: May 26, 2015

Cheap Korean tech, no wonder. Things like this never happens to finest Japanese tech.

21. BobbyBuster

Posts: 854; Member since: Jan 13, 2015

Where are you SuperNova? Your comrade is waiting for you.

24. Mxyzptlk unregistered

Or thealphageek

31. meanestgenius

Posts: 21784; Member since: May 28, 2014

Or JakeLee.

42. Mxyzptlk unregistered

You're thealphageek.

43. meanestgenius

Posts: 21784; Member since: May 28, 2014

You're an !Diot.

48. Mxyzptlk unregistered

Ok alphageek.

53. meanestgenius

Posts: 21784; Member since: May 28, 2014

Ok !Diot.

44. -ARTE-

Posts: 80; Member since: Jun 14, 2015

Jakelee is here as known by bobbybuster and his 2nd account Tedkurd.

39. j2001m

Posts: 3061; Member since: Apr 28, 2014

Hm, I think your Sony tech is overheating last time I looked, good day

50. cheetah2k

Posts: 2227; Member since: Jan 16, 2011

No, the finest Japanese tech just overheats...

55. marorun

Posts: 5029; Member since: Mar 30, 2015

You know JApanesepatriot aka Bobby buster thats most Japanese smartphone run your beloved Android? ( lol poor troll )

61. engineer-1701d unregistered

how is this samsungs fault its swiftkeys and most people dont use it they use others. and what finest jap tech you talking about. are you talking about the company thats going under named sony

23. 99nights

Posts: 1152; Member since: Mar 10, 2015

If you read the article, it's samsung specific affecting 600 phones only. Android in general.. no you're an idiot.

29. bur60

Posts: 981; Member since: Jul 07, 2014

600 million...

46. 99nights

Posts: 1152; Member since: Mar 10, 2015

Yep forgot the million.

62. engineer-1701d unregistered

i dont see how its 600 mil unless 600 million gs6, j7 and 3 other phones have been sold in 6 months.

69. james2841

Posts: 167; Member since: Dec 10, 2014

its EVERY samsung phone with the keyboard, not just a couple. the number is more like 170 different models (including carrier models) of phones.

33. TBomb

Posts: 1405; Member since: Dec 28, 2012

Learned about that icloud passwords bug last week from a friend... Heard that they said "Users should know because the keyboard didn't open up automatically" to defend it.

49. Mxyzptlk unregistered

Actually the whole password thing wasn't Apple's fault.

63. engineer-1701d unregistered

hahahahhahaha thats what all apple users say, a co worker that we have been joking with finally got rid of iphone and got gs6 on tmobile and the first thing he says is holy s the f ing screen is so crisp and amazing, and the pics so the password thing wasnt apples fault , the company that makes there own phone and software, while samsungs shipped phones with swiftkey integrated keyboard is samsungs fault. ? explain please

45. Simona unregistered

all apps u download from s**tty crappy store is spam !

56. xondk

Posts: 1904; Member since: Mar 25, 2014

That seems an odd thing to say, since you by saying that also say that ios bugs/vulnerabilities hit almost all users, where with OEM specific they only hit that OEM....

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.