Users of Samsung Galaxy devices should take note of a new report regarding a security flaw that affects them.
The flaw apparently allows hackers to install malware on the Samsung devices, and even eavesdrop on calls. The worst part about the flaw is that there is nothing that can be done about it.
Samsung provided patch for security flaw.
NowSecure, a security firm based in Chicago, claims that a bug in the Swift keyboard software can allow an attacker to use arbitrary code on the devices. The keyboard comes preinstalled on over 600 million Samsung devices.
Swift has access to most of the functions on Samsung smartphones due to the fact that it is a privileged piece of software. An attacker can use the weakness to install malware, access the camera, microphone and GPS, listen in to calls and messages, influence the behavior of other apps and steal photos and messages.
NowSecure reportedly told Samsung about the flaw in December 2014, and the company released a patch to network operators in “early 2015.” It is not clear how many carriers passed the patch on to their users.
Low risk vulnerability on a huge number of devices
A long list of devices are potentially at risk, such as Samsung Galaxy S6, S5, S4 and S4 mini on major U.S. carriers. Owners of affected devices are advised to avoid using unsecured WiFi networks, or switch to an alternative device.
Do not confuse the pre-installed Swift software with the SwiftKey keyboard app which is available on Google Play. SwiftKey CMO Joe Braidwood told Mashable that the flaw is not related to the SwiftKey app.
“We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability,” he said in a statement.
Despite the huge number of affected devices, the vulnerability is a “low risk” one, according to Braidwood. “A user must be connected to a compromised network (…), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time,” he argues.