The South Korean giant’s Android keyboard has a vulnerability that’s installed in about 600 million devices all over the world and could enable hackers to take full control of the tablet or smartphone. The update setup of the built-in keyboard is where the security bug revolves. The update mechanism has been designed to look for language updates for phrases that are trending on a daily or weekly basis. According to researchers who found the hole, Samsung’s private signing key has been used for the keyboard and it operates in one of the most privileged areas of the device, i.e. the system user.
This problem had been unearthed in the previous year and Samsung had been informed in December. The Android security team of Google Inc. had also been made aware of the Samsung keyboard bug and Samsung had requested all involved parties to keep the problem under wraps until the company was able to release a patch for it. However, six months later, it remains unclear whether a patch was indeed introduced. The patching up process had begun in early 2015, but as opposed to the direct software updates model of Apple Inc., is beholden to mobile phone carriers to provide their customers with the updates.
It hasn’t been made clear whether carriers have provided the update and on what scale the problem has been eliminated. The primary issue is that it isn’t possible for a user to delete or uninstall the flawed keyboard app and they are unable to figure out if the problem has been eradicated with a software update. The major problem exists in Samsung’s code. This means that Swiftkey-based keyboards on Android devices from other manufacturers and apps of Swiftkey from the Google Play Store or for the iPhone haven’t been affected by this bug. If an Android device manufactured by Samsung is connected to a malicious Wi-Fi network, the device could be exposed to hacking attempts.
When the keyboard tries to update its language pack and trending phrases, the updated could be substituted by the hacker for a backdoor, which would provide them with complete access to the device. This would allow the hacker to remotely access the sensors of the smartphone, including GPS, the microphone or camera, attack sensitive personal data and even eavesdrop on phone calls. Swiftkey’s chief marketing officer, Joe Braid said that they had only been made aware of the problem on Tuesday and they were working alongside Samsung to fix it.
The issue cannot be fixed just by installing another third-party keyboard, which includes Swiftkey’s full keyboard because the Samsung keyboard will still be running in the background. Security experts have said that people cannot do much except stay away from unknown and unreliable networks where a cybercriminal may try to hack or intercept your traffic. An extensive number of Samsung devices have been affected by this problem, which includes some of the latest Galaxy models such as the Galaxy S6, S5 and S4. The smartphone giant hasn’t commented on the issue as yet.