Allison Joyce/Getty Images
Samsung smartphones come bundled with SwiftKey, a piece of software that helps run the device's touchscreen keyboard. But SwiftKey's updates are unencrypted - which, when combined with the fact that Samsung gives the software system-level access to the device, means intruders can hijack the update and remotely execute code and malicious programs.
First discovered by security company NowSecure, hackers could carry out a number of dangerous actions due to the vulnerability, including:
- Access sensors and resources like GPS, camera and microphone
- Secretly install malicious apps without the user knowing
- Tamper with how other apps work or how the phone works
- Eavesdrop on incoming/outgoing messages or voice calls
- Attempt to access sensitive personal data like pictures and text messages
SwiftKey comes pre-installed in devices, it can't be uninstalled - rendering devices constantly vulnerable. Attacks have to take place over unsecured networks, like public Wi-Fi, so NowSecure suggested staying away from open connections to mitigate the threat. (Or better yet, just "use a different mobile device.")
Samsung says on its Samsung Tomorrow blog that it thinks "the likelihood of making a successful attack, exploiting this vulnerability is low," and that "there have been no reported customer cases of Galaxy devices being compromised."
However, the post continues, "as the reports indicate, the risk does exist and Samsung will roll out a security policy update in the coming days ... In addition to the security policy update, we will continue to work with related parties such as SwiftKey to address potential risks going forward."
NowSecure first found the bug in December 2014 and notified Samsung, which prepared an initial patch in "early 2015." However this patch was reliant on carriers to roll it out, and tests carried out this month by the security company found that multiple off-the-shelf devices were still vulnerable, prompting it to go public.