Samsung Galaxy phones have come under radar for a major security lapse as techies have discovered that its Swiftkey holds the clue to hacking and inserting malware in any of these phones.
The Swiftkey keyboard software comes pre-installed with Galaxy smartphones, which run into more than 600 million worldwide so far, and the users cannot even do anything even if they knew the flaw. Nor can they uninstall the software that is integrated with the device’s operating system, said security experts.
From the original Galaxy brand to the latest Galaxy S6, more than 600 million Samsung mobile device users have been affected by the security risk from a pre-installed keyboard that allows an attacker to remotely execute code as a privileged (system) user.
The flaw was noticed by NowSecure, mobile security research firm. Its researcher Ryan Welton, who discovered the flaw said Samsung was notified in December 2014 and also notified CERT who assigned CVE-2015-2865, besides informing the Google Android security team.
By exploiting the flaw in the keyboard, a cyber attacker can remotely:
— Access resources and sensors like GPS, camera and microphone,
— Secretly install malicious software or apps without the user’s knowledge,
— Tamper with other apps or make changes as how the phone works,
— Eavesdrop on incoming or outgoing messages or voice calls, and
— Attempt to get access to sensitive personal data like bank account passwords, transactions, pictures and text messages.
However, the security firm informed that Samsung has begun providing a patch to mobile network operators since January 2015, it is not known whether carriers such as Verizon, AT&T, T-Mobile, Sprint in the US have passed on the patch on their network, said the firm, not mentioning its possibility in other countries like India where Samsung is the leading provider of smartphones.
Though it is difficult to determine how many mobile device users remain vulnerable, the security firm has given the Galaxy models and number of network operators globally. “Unfortunately, the flawed keyboard app can’t be uninstalled. Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update,” said NowSecure.
If your mobile device is given below, then contact your TSP or service provider for the patch to be dispatched.
DEVICE CARRIER PATCH STATUS
Galaxy S6 Verizon Unpatched
Galaxy S6 AT&T Unknown
Galaxy S6 Sprint Unpatched
Galaxy S6 T-Mobile-Unknown
Galaxy S5 Verizon Unknown
Galaxy S5 AT&T Unknown
Galaxy S5 Sprint Unknown
Galaxy S5 T-Mobile-Unpatched
Galaxy S4 Verizon Unknown
Galaxy S4 AT&T Unknown
Galaxy S4 Sprint Unknown
Galaxy S4 T-Mobile-Unknown
Galaxy S4 Mini Verizon Unknown
Galaxy S4 Mini AT&T Unpatched
Galaxy S4 Mini Sprint Unknown
Galaxy S4 Mini T-Mobile=Unknown