NowSecure has reported about a critical vulnerability in the keyboard software that comes pre-loaded on Samsung Galaxy series phones. If exploited, a hacker can gain access to the phone, remotely monitor it, install malware, or even steal personal data. As per the report, over 600 million Samsung smartphones that have SwiftKey keyboard pre-loaded have been exposed.
Ryan Welton, mobile security specialist at NowSecure, found that the pre-installed SwiftKey app can be tricked to download language pack updates over unencrypted connection in plain text. Thus in the pretence of language packs, malicious code can be injected to take control of the smartphone.
Once that code provides access to the attacker, the phone’s data, messages, and everything is exposed without leaving even a hint to the user.
Samsung was informed in November 2014 by NowSecure and the Korean company reportedly handed over a patch to the mobile operators across the world. However, there are millions of Samsung devices with SwiftKey, still vulnerable via this loophole.
For now, only the pre-installed SwiftKey app is vulnerable, not the ones from Google Play Store or Apple iOS Store. There is no way one can uninstall SwiftKey from the Samsung’s Galaxy range of devices since the app has been whitelisted and deemed to be native. Till there is a patch released for the Samsung phones, it is advisable to use Google Keyboard or any other third party keyboard in the mean time.