Over 600 million Samsung mobile device users may be at risk due to a significant security threat, according to researchers at mobile security specialist NowSecure.
Researcher Ryan Welton, who uncovered the flaw residing in the pre-installed keyboard of some Samsung phones, demonstrated his findings during a Black Hat Mobile Security Summit presentation, titled “Abusing Android Apps And Gaining Remote Code Execution,” yesterday (June 16) in London.
Welton was able to corrupt the process of updating one of the virtual keyboards found on many Samsung devices, ultimately allowing him to listen in on phone conversations, look through text messages and contact information and even turn on the microphone to capture audio.
According to NowSecure’s report on the vulnerability, Samsung was notified about the security issue back in December of 2014. But as of yesterday, the report provided a known (but not all-inclusive) list of impacted devices by carrier along with the status of a patch. The list covered several popular Samsung mobile devices like the Galaxy S6, Galaxy S5 and Galaxy S4, all of which showed a patch status of either “unknown” or “unpatched.”
“While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network,” NowSecure stated. “In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.”
The exploitation is rooted in the SwiftKey keyboard on the Samsung devices, which “looked for language pack updates over unencrypted lines,” Forbes reported.
Meaning Welton was able to send malicious updates to the affected devices, along with data that ensured the bad code would remain on the phone. This opened the door to escalated attacks on the phones, all while users remained completely unaware.
The most unsettling point is that if Welton could figure this out, hackers might too.
Left in the wrong hands, this exposes users with impacted devices to the possible sharing of information considered private, like text messages, bank logins and contact data. The vulnerability could also allow a hacker to secretly install malicious apps, tamper with how the phone works and even access sensors and resources like the phone’s GPS or camera.
When asked about the vulnerability, a SwiftKey representative told Forbes: “We’ve seen reports of a security issue related to the Samsung keyboard. We can confirm that the SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”
NowSecure suggested users reduce their risk by avoiding non-secure Wi-Fi networks, contacting carriers for additional information on patches and even using a different device altogether, considering the keyboard cannot be uninstalled.
To check out what else is HOT in the world of payments, click here.