Have a Samsung Galaxy device? Chances are it has a security flaw that lets attackers install malware on it or eavesdrop on your calls, and there’s nothing you can do about it.
Chicago-based security firm NowSecure has published a report claiming that a bug in the Swift keyboard software, preinstalled on more than 600 million Samsung devices, can allow a remote attacker, which is capable of controlling a user’s network traffic to execute arbitrary code on the user’s phone.
To make things worse, if your phone has the Swift keyboard software, it’s impossible to uninstall it, and the flaw can be exploited even when you don’t use it.
Swift runs in a privileged context on the phone, meaning it can access most of its functions. By exploiting the vulnerability, an attacker can secretly install malware on a user’s device, access the device’s camera, microphone and GPS, eavesdrop on calls and messages, change the way other apps behave and even steal photos and text messages.
NowSecure claims it notified Samsung of the vulnerability in December 2014, and the U.S. Computer Emergency Readiness Team (CERT) and Google’s Android team were also notified. The good news is, Samsung started providing a patch to network operators in “early 2015,” but it’s not known how many of them actually provided it to their users.
The list of potentially vulnerable devices is a scary one, including Samsung Galaxy S6, S5, S4 and S4 mini on major U.S. carriers, including Verizon, AT&T, Sprint and T-Mobile. The status of some devices with regards to this vulnerability is unknown, but some — like Galaxy S6 on Verizon and Sprint, and Galaxy S5 and T-Mobile — are vulnerable.
Since the Swift software cannot be uninstalled, the best course of action, according to NowSecure, is to avoid unsecured Wi-Fi networks and/or use a different mobile device. NowSecure also points out that SwiftKey, the keyboard app available on Google Play and based on the same software development kit, has no relation to the preinstalled Swift keyboard, and installing or removing it does not fix the vulnerability.
SwiftKey CMO Joe Braidwood confirmed to Mashable that the vulnerability is unrelated to the SwiftKey consumer app.
“We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability,” he said in a statement.
Braidwood points out that the vulnerability is a “low risk” one. “A user must be connected to a compromised network (…), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time,” he argues.
Mashable has contacted Samsung for a comment but have not yet heard from them.
For a detailed technical explanation of the vulnerability from NowSecure, go here.