Samsung keyboard flaw leaves 600m Galaxy devices open to attack

Got a Samsung Galaxy? Avoid insecure Wi-Fi networks. Photo: Killian Bell/Cult of Android

Got a Samsung Galaxy? Avoid insecure Wi-Fi networks. Photo: Killian Bell/Cult of Android

A mobile security researcher has discovered a vulnerability in the Swift keyboard on Samsung’s Android devices that allows an attacker to remotely run malicious code. Over 600 million Galaxy handsets are said to be affected, including the company’s new Galaxy S6 and S6 edge.

Discovered by NowSecure mobile security researcher Ryan Welton, the flaw allows attackers to access features like the camera, microphone, and GPS, and even eavesdrop on incoming and outgoing calls and messages. It could also be used to tamper with other apps, and to access pictures and other sensitive data.

Devices affected include the Galaxy S4 and Galaxy S4 mini, the Galaxy S5, and the Galaxy S6 and S6 edge.

Unlike the Swift keyboard found in Google Play, the version pre-installed on Samsung devices is baked into the company’s code and cannot be disabled or removed. What’s more, it’s signed with Samsung’s private signing key and has system user access, which is what makes it so dangerous.

“Even when it is not used as the default keyboard, it can still be exploited,” Welton explains.

What’s most worrying about this vulnerability is that an attacker can take advantage of it remotely; they do not need physical access to your handset. Code can be injected over rogue Wi-Fi access points and cellular base stations, and even via DNS hijacking.

With little more than a piece of software and a Wi-Fi USB dongle, Welton was able to take advantage of Swift’s update mechanism, which automatically downloads new language in the background, to inject a rogue language pack that contains malicious code.

Welton notes that the payload is specific to the model of Samsung device, but adds Swift is “kind enough to give us model version and build information in the http headers where they ask the server for the langaugePack update.”

If you want the intricate details, which includes a complete step-by-step account of how Welton took advantage of the flaw, you’ll find it on the NowSecure blog via the source link below.

Fortunately, Samsung is already aware of this issue, and it has begun issuing patches to all U.S. carriers. However, it’s unclear how many of those have actually made it available to devices, or whether international carriers have also received the fix.

If you want to avoid the risk, the best thing you can do is simply steer clear of insecure Wi-Fi networks. If you’re really worried, NowSecure recommends using a different smartphone, or contacting your carrier to see if Samsung’s patch has been made available for your device.