CHICAGO — Millions of Samsung Galaxy phones are likely impacted by a security flaw that could allow attackers to install malware or eavesdrop on calls — and there’s not much users can do about it.
Security firm NowSecure said a bug in the pre-installed Swift keyboard software installed on more than 600 million Samsung devices could allow a hacker “execute code as a privileged user” to gain access to the device and the user’s network.
If the flaw in the keyboard is exploited, the attacker could access the phone’s GPS, camera, microphone, install malicious apps, eavesdrop on calls, and access photos and messages. The keyboard cannot be disabled or uninstalled. Even when it’s not being used, the security flaw can still be exploited.
The list of devices includes the Galaxy S6, Galaxy S5, Galaxy S4, and Galaxy S4 Mini. Verizon, AT&T, Sprint, and T-Mobile customers are all impacted.
The flaw was discovered by Ryan Welton, a researcher at NowSecure. The firm notified Samsung and the Google Android security team in December.
“While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network. In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.”
Samsung has not publicly commented on the security flaw.
SwiftKey released a statement in a blog post:
“We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this obscure but important security issue.
The vulnerability in question poses a low risk: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”