NowSecure security researcher Ryan Welton has exposed a security risk that affects over 600 million Samsung devices world wide. The risk comes from the pre-installed Swiftkey keyboard. Samsung gave the app system user privileges, which is one step away from root. The app cannot be uninstalled or disabled in the system.
“If the flaw in the keyboard is exploited, an attacker could remotely:
- Access sensors and resources like GPS, camera and microphone
- Secretly install malicious app(s) without the user knowing
- Tamper with how other apps work or how the phone works
- Eavesdrop on incoming/outgoing messages or voice calls
- Attempt to access sensitive personal data like pictures and text messages”
Samsung issued a patch to mobile network providers early 2015, but it is unclear if the carriers have provided the necessary update to patch the vulnerability at this point. Check the list below to check if your device is affected
DEVICE | CARRIER | PATCH STATUS |
Galaxy S6 | Verizon | Unpatched |
Galaxy S6 | AT&T | Unknown |
Galaxy S6 | Sprint | Unpatched |
Galaxy S6 | T-Mobile | Unknown |
Galaxy S5 | Verizon | Unknown |
Galaxy S5 | AT&T | Unknown |
Galaxy S5 | Sprint | Unknown |
Galaxy S5 | T-Mobile | Unpatched |
Galaxy S4 | Verizon | Unknown |
Galaxy S4 | AT&T | Unknown |
Galaxy S4 | Sprint | Unknown |
Galaxy S4 | T-Mobile | Unknown |
Galaxy S4 Mini | Verizon | Unknown |
Galaxy S4 Mini | AT&T | Unpatched |
Galaxy S4 Mini | Sprint | Unknown |
Galaxy S4 Mini | T-Mobile | Unknown |
What to do:
- Avoid insecure wi-fi networks
- Use a different mobile device
- Contact carriers for patch information and timing
[toggles title=”Source”]NowSecure[/toggles]
Update:
SwiftKey has provided the following information to clear up any concerns regarding their keyboard.
“The one thing we want to make clear is the difference between a pre-installed app and us providing Samsung our core software in an SDK. NowSecure call us a pre-install, but this isn’t technically true. We provided Samsung with our SDK, which is what powers word predictions and other typing features in their stock keyboard app. In that sense we’re a technology provider here, rather than the end-to-end producers of the Samsung keyboard app. This is completely different than a pre-installed app.
The reason we’re highlighting this is that we want everyone to understand that this issue is distinct from SwiftKey Keyboard, our consumer app on Google Play and the App Store, which is unaffected by this security vulnerability.