Samsung vulnerability exposed with over 600 million devices affected worldwide

NowSecure security researcher Ryan Welton has exposed a security risk that affects over 600 million Samsung devices world wide. The risk comes from the pre-installed Swiftkey keyboard. Samsung gave the app system user privileges, which is one step away from root. The app cannot be uninstalled or disabled in the system.

“If the flaw in the keyboard is exploited, an attacker could remotely:

  1. Access sensors and resources like GPS, camera and microphone
  2. Secretly install malicious app(s) without the user knowing
  3. Tamper with how other apps work or how the phone works
  4. Eavesdrop on incoming/outgoing messages or voice calls
  5. Attempt to access sensitive personal data like pictures and text messages”

Samsung issued a patch to mobile network providers early 2015, but it is unclear if the carriers have provided the necessary update to patch the vulnerability at this point. Check the list below to check if your device is affected

DEVICE CARRIER PATCH STATUS
Galaxy S6 Verizon Unpatched
Galaxy S6 AT&T Unknown
Galaxy S6 Sprint Unpatched
Galaxy S6 T-Mobile Unknown
Galaxy S5 Verizon Unknown
Galaxy S5 AT&T Unknown
Galaxy S5 Sprint Unknown
Galaxy S5 T-Mobile Unpatched
Galaxy S4 Verizon Unknown
Galaxy S4 AT&T Unknown
Galaxy S4 Sprint Unknown
Galaxy S4 T-Mobile Unknown
Galaxy S4 Mini Verizon Unknown
Galaxy S4 Mini AT&T Unpatched
Galaxy S4 Mini Sprint Unknown
Galaxy S4 Mini T-Mobile Unknown

What to do:

  • Avoid insecure wi-fi networks
  • Use a different mobile device
  • Contact carriers for patch information and timing

[toggles title=”Source”]NowSecure[/toggles]

Update:
SwiftKey has provided the following information to clear up any concerns regarding their keyboard.

“The one thing we want to make clear is the difference between a pre-installed app and us providing Samsung our core software in an SDK. NowSecure call us a pre-install, but this isn’t technically true. We provided Samsung with our SDK, which is what powers word predictions and other typing features in their stock keyboard app. In that sense we’re a technology provider here, rather than the end-to-end producers of the Samsung keyboard app. This is completely different than a pre-installed app.

The reason we’re highlighting this is that we want everyone to understand that this issue is distinct from SwiftKey Keyboard, our consumer app on Google Play and the App Store, which is unaffected by this security vulnerability.

For more information on SwiftKey and how this works, you can find that here on our blog.”