Update: Samsung has provided Tech Times a statement promising an over-the-air security policy update of the smartphones affected via Samsung Knox "in a few days." Lindsay J. Hyman, spokesperson for Samsung, says the firm is also working with Swiftkey to prevent further issues in the future.
"Samsung takes emergency security threats very seriously," she says. "We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security. Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by the issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with Swiftkey to address potential risks going forward."
The orignal story is below.
More than 600 million Samsung smartphones are at a huge risk of being hacked due to a vulnerability lurking in the Swiftkey-developed keyboard preinstalled in the devices.
Mobile security researcher Ryan Welton of Now Secure discovered the security hole, which makes Samsung handsets, including the flagship Galaxy S6, Galaxy S5, Galaxy S4 and Galaxy S4 Mini, vulnerable to being attacked by unscrupulous parties going after unsuspecting individuals' private information.
The Swiftkey keyboard can be manipulated by hackers and tricked into downloading malicious code masquerading as additional language packs when the smartphone is connected to an unsecure Wi-Fi network. Once the malware is embedded into the keyboard, hackers can then take control of the smartphone remotely and do as they please.
"A remote attacker capable of controlling a user's network traffic can manipulate the keyboard update mechanism on Samsung phones and execute code as a privileged (system) user on the target's phone," says Now Secure on its technical blog. "The Swift keyboard comes preinstalled on Samsung devices and cannot be disabled or uninstalled. Even when it is not used as the default keyboard, it can still be exploited."
Among the many things that can be done on a vulnerable smartphone, Welton says hackers could exploit the security hole to gain access to users' sensitive personal data, such as SMS, voice calls, emails, pictures and videos. They can also manipulate other apps already installed in the device, install additional malware without the owner knowing, and access the phone's sensors, camera and microphone.
After discovering the vulnerability in December, Now Secure notified Samsung in the same month. In response, Samsung issued a patch to Verizon, AT&T, Sprint and T-Mobile to close up the security hole, but Now Secure says it is unclear if the wireless carriers have issued the patch to the affected smartphones.
The Galaxy S6 from Verizon and Sprint remain unpatched, as well as the Galaxy S5 from T-Mobile and the Galaxy S4 Mini from AT&T. The status of the other devices known to be vulnerable remains unknown.
For now, the best solution for owners of the affected devices is to skip connecting to unknown Wi-Fi networks while the carriers work on acknowledging the vulnerability.
As for other users of Swiftkey who downloaded the keyboard app from Google's Play Store or the Apple App Store, the keyboard remains secure.
Photo: Kārlis Dambrāns | Flickr