The hijacking involves a typical man-in-the-middle attack in which malicious software is injected into the target device using a public Wi-Fi network. The issue is caused by a flaw in the software updater used by the keyboard on Samsung phones.
International Business Times reports that the vulnerability was discovered by Ryan Welton, a security researcher for NowSecure. He writes that over 600 million Samsung Android phones worldwide could be affected including the flagship Galaxy S5 and S6 devices.
If exploited, the issue would allow an attacker on a public Wi-Fi network to remotely execute code with the highest-level privileges on the user’s phone. This would allow them to access sensors including the camera, microphone and location without the user knowing. Alternatively, personal data including messages, email and photos could be accessed and retrieved, calls monitored or apps secretly installed.
NowSecure alerted Samsung of the issue in November 2014. The company issued an update in early 2015 but not every affected phone has received it yet as carriers are still sitting on it.
International Business Times notes that in particular Verizon and Sprint Galaxy S6 units are still affected, as is the T-Mobile Galaxy S5. Additionally, some older phones such as the Galaxy S4 were open to exploit for over two years after launch, potentially allowing attackers to regularly use the vulnerability in the wild.
The affected keyboard is powered by well-known third-party Android keyboard app SwiftKey which is available for download to any Android device from the Play Store. The variant preinstalled on Samsung phones is a different version though and the company has confirmed that SwiftKey downloads from the Google Play Store are secure and not affected by the vulnerability. The same applies to SwiftKey for iOS.
On Samsung phones, the SwiftKey-powered system keyboard cannot be disabled or removed. Even if a custom keyboard is used, the Samsung one will remain and continue to auto-update itself, keeping the vulnerability alive. With devices still open to serious exploit, owners should hope that Samsung will take action soon to get the updates out the door more quickly. The company told International Business Times that it will issue a statement soon.
