NowSecure, a security firm based in the US has discovered a critical flaw within SwiftKey that comes pre-loaded on Samsung’s Galaxy range of smartphones. According to the report, over 600 million Samsung smartphones that come pre-loaded with SwiftKey have been affected by this vulnerability, which could allow hackers to gain access to the phone and install malware thus compromising a user’s data. The devices affected by this vulnerability include latest flagships Galaxy S6 and S6 Edge, along with Galaxy S5, Galaxy S4, Galaxy S4 Mini and Note 4.
NowSecure believes that the problem lies with SwiftKey’s language pack update mechanism. The pre-installed app can be duped to download language pack updates over an unencrypted connection in plain text. Thus, malware can be injected via these language packs thereby allowing hackers to take control of a smartphone.
As a result of the way the software was pre-installed, NowSecure said in a blog post, “… the keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user”.
Once a hacker gets access to the device via the code, they can literally have total control over a particular device, from the phone’s data to messages, along with personal photographs.
“The vulnerability is triggered automatically (no human interaction) on reboot as well as randomly when the application decides to update [its language packs],” the US-based security firm said.
Notably, Samsung was informed about this vulnerability back in November 2014, though reports suggest that the Korean manufacturer asked NowSecure to wait for three months before going public with this flaw. To combat the situation Samsung reportedly issued patches to mobile phone operators, but it’s hard decipher whether carriers made these patches available to customers, said NowSecure. This suggests that most of the devices in question are mostly carrier ones.
For now, there is no option for users to uninstall SwiftKey from their devices, as Samsung deems the app to be native. In the meantime, users are advised to use the default Google keyboard till the company comes up with a definitive solution.
Earlier, CEO of Kaspersky Labs recently said in an interview that both iOS and Android are the most preferred target for hackers owing to their popularity, while according to him, Windows Phone is ‘so far very clean’. While, a major vulnerability was also reported in Android’s factory reset feature just a few weeks back, which leaves traces of data even after performing a complete factory reset, thus leaving personal data at risk, though the research was conducted on Android devices running Jelly Bean and older versions.