Samsung keyboard bug leaves 600 million phone users open to attack

As many as 600 million Samsung phones are vulnerable to an exploit where a hacker could remotely access a phone’s microphone and camera, eavesdrop on calls, and access valuable personal information, such as text messages and bank information.

The default and pre-installed keyboard for Samsung phones, SwiftKey, often looks for language updates and trending phrases. In December of 2014, Ryan Weldon from mobile security firm NowSecure uncovered that this is where attackers can strike, as the updates are unencrypted and in plain text. If the user is on the same WiFi network as the attacker, the attacks can substitute the update for a backdoor that gives attackers complete access to the user’s phone without the user noticing.

Attackers can then remotely access functions such as the phone’s GPS, microphone, and camera, secretly install malicious apps, tamper with how apps and the phone generally works, eavesdrop on calls, and access valuable personal information, such as text messages and bank logins.

This exploit affects nearly 600 million Samsung phones across many carriers, including the newly released Galaxy S6. The list of phone and carriers affected can be found here. SwiftKey cannot be uninstalled or disabled, even if the user installs a different keyboard. Samsung supposedly released an update in March that fixed the exploit, but Tuesday at the Black Hat Security Summit, Welton replicated the attack, revealing that users are still at risk.

SwiftKey for other devices, such as Apple’s iPhone, are unaffected. Android security continues to be a hot-button issue; recently Google announced a new Android Security Rewards program, which will pay users to report bugs. Samsung phone users should ask their carriers if an update is available, and Paul Ducklin from security company Sophos recommends that users steer clear of networks the user does not recognize or trust.

“The silver lining, if that’s not too strong a way to describe it, is that a crook can’t exploit this hole just whenever he likes: you have to be on his dodgy network when an IME update happens, and he has to notice in time to jump in as a man-in-the-middle,” said Ducklin.


Samsung has posted on their official blog regarding the exploit.

“The likelihood of making a successful attack, exploiting this vulnerability is low. There have been no reported customer cases of Galaxy devices being compromised through these keyboard updates.”

“But as the reports indicate, the risk does exist and Samsung will roll out a security policy update in the coming days.”

Photo: Samsung Galaxy S6 (John Locher, Associated Press)


Tags: , , , , ,


Share this Post