During a presentation titled “Abusing Android Apps and Gaining Remote Code Execution,” at Black Hat London had mobile security, researcher Ryan Welton, working at NowSecure, revealed that over 600 million Samsung mobile devices including phones and tablets are vulnerable to attacks that are “completely silent, highly reliable, and affects all devices” by Samsung, as reported in Forbes.
The built-in vulnerability
Every Samsung Galaxy phone user has seen the ‘Swift’ keyboard that comes pre-installed on the phone as the default keyboard application. This Swift keyboard app puts the user’s privacy and the phone at risk due to a hugely significant security flaw that’s inherent in the keyboard.
Moreover, with the application being pre-installed on Samsung Galaxy phones, it cannot be uninstalled or even disabled by switching over to another keyboard. Essentially, a Samsung phone not using Swift keyboard as its default keyboard application can still be exploited.
“Unfortunately, the flawed keyboard app can’t be uninstalled or disabled. Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update,” noted Welton.
If exploited, an attacker or malicious hacker could gain the means to remotely:
- Eavesdrop or listen in to incoming/outgoing voice calls and messages.
- Have access to user behavior and records by accessing sensors on the phone like its GPS, microphone and the even the phone’s camera.
- Tamper and manipulate other installed applications on the phone, altering how they might work.
- Install malicious (malware/spyware/Trojan) applications on the phone without the user’s knowledge.
- Gain access to the user’s personal data like pictures, text messages and emails stored on the phone.
- Hijack the DNS on the phone, leaving the user vulnerable to phishing by redirecting them to spoof websites secretively.
Samsung was notified of the vulnerability by NowSecure in December 2014. Subsequently, Samsung came up with a patch to wireless careers in early 2015. “Given the magnitude of the issue, NowSecure notified CERT who assigned CVE-2015-2865, and also informed the Google Android security team,” said NowSecure in a blog post.
Not all devices are patched, however, since each individual carrier has to push the fix as downloads to the vulnerable phones that are on their network.
A SwiftKey spokesperson said: “We’ve seen reports of a security issue related to the Samsung keyboard. We can confirm that the SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”
The Samsung phones at risk
Here’s a list of the vulnerable phones. (Note: This isn’t an all-inclusive list, according to NowSecure.)
- Verizon: Samsung’s current flagship, the Galaxy S6 remains “unpatched.” It’s unknown if the fix has been pushed to Galaxy S5, the Galaxy S4 and the Galaxy S4 Mini.
- AT&T: Patch status is “unknown” for the Galaxy S6, Galaxy S6 and Galaxy S4.
- Sprint: Galaxy S6 remains “unpatched” and patch status is unknown for the remaining phones.
- T-Mobile: Galaxy S5 is “unpatched” and the remaining phones’ status is “unknown.”
In summing up, Welton added:
“To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing.”