Hack has been reported by NowSecure, which is a critical vulnerability in the keyboard that comes pre-loaded on Samsung Galaxy series phones. If patched, or exploited, any hacker can gain full accees to the handset, remotely monitor it, can install malware, or even steal phone users personal data with a flick. Details on this hack can be found right here after this fold.
It’s said that over 600 million plus Samsung mobile device users have been affected by a significant security risk on leading smartphones, including the recently launched Galaxy S6. Samsung was notified in December 2014, and NowSecure has also given the magnitude of this issue, and further also informed the Google Android security team.
Mobile security specialist at NowSecure, Ryan Welton found that the pre-installed SwiftKey app can be tricked to download language pack updates over unencrypted connection in plain text, where the malicious code can be injected to take control over the smartphone. Once the code provides access to the hackers, the phone’s data, messages, and everything is exploited without leaving any hint to the user.
However, there are millions of Samsung devices with SwiftKey, still vulnerable via this loophole. If the flaw in the keyboard is exploited, an attacker could remotely:
- Access sensors and resources like GPS, camera and microphone
- Secretly install malicious app(s) without the user knowing
- Tamper with how other apps work or how the phone works
- Eavesdrop on incoming/outgoing messages or voice calls
- Attempt to access sensitive personal data like pictures and text messages
Here’s a tip to get rid of it. For now, only the pre-installed SwiftKey app is vulnerable and not the ones downloaded and installed from the Google Play or iOS App Store. Unfortunately there is no way uninstall SwiftKey from the Samsung’s Galaxy range of devices, since the app has been integrated as a stock native app. But nevertheless, still got a patch released for the Samsung phones, and it is advisable to use Google Keyboard or any other third party keyboard in the mean time.