Major security flaw impacts 600 million Samsung Galaxy phones

Nation/World
This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

CHICAGO — Millions of Samsung Galaxy phones are likely impacted by a security flaw that could allow attackers to install malware or eavesdrop on calls — and there’s not much users can do about it.

Security firm NowSecure said a bug in the pre-installed Swift keyboard software installed on more than 600 million Samsung devices could allow a hacker “execute code as a privileged user” to gain access to the device and the user’s network.

If the flaw in the keyboard is exploited, the attacker could access the phone’s GPS, camera, microphone, install malicious apps, eavesdrop on calls, and access photos and messages. The keyboard cannot be disabled or uninstalled. Even when it’s not being used, the security flaw can still be exploited.

The list of devices includes the Galaxy S6, Galaxy S5, Galaxy S4, and Galaxy S4 Mini. Verizon, AT&T, Sprint, and T-Mobile customers are all impacted.

The flaw was discovered by Ryan Welton, a researcher at NowSecure. The firm notified Samsung and the Google Android security team in December.

“While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network. In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.”

Samsung has not publicly commented on the security flaw.

SwiftKey released a statement in a blog post:

“We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this obscure but important security issue.

The vulnerability in question poses a low risk: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”

LATEST VIDEO

Take a “pie in the face” and help local non-profit Camp for All

Thumbnail for the video titled "Take a “pie in the face” and help local non-profit Camp for All"

Dose of Texas - Cotton Swab Shortage

Thumbnail for the video titled "Dose of Texas - Cotton Swab Shortage"

Fitness Friday - Lindsey Day

Thumbnail for the video titled "Fitness Friday - Lindsey Day"

Seven Oaks SWAT Scene

Thumbnail for the video titled "Seven Oaks SWAT Scene"

Fatal Home Invasion - Official Sound

Thumbnail for the video titled "Fatal Home Invasion - Official Sound"

Officer Involved Shooting in Houston

Thumbnail for the video titled "Officer Involved Shooting in Houston"
More Video

Morning Dose


Days

Hours

Minutes

Seconds

Latest Weather Forecast

More Weather

Don't Miss

Latest

More Morning Dose

Popular