WASHINGTON — More than 600 million Samsung Galaxy devices are vulnerable to a security flaw that allows criminals to install malware or eavesdrop on phone calls. But experts say it’s unlikely hackers actually accessed most users’ phones.
Security firm NowSecure reports a bug in how the SwiftKey keyboard software, which is preinstalled as part of the operating system on more than 600 million Samsung devices, can allow an attacker to execute code on the user’s phone.
“The real world possibility of becoming a victim of this security hole is virtually zero,” says Ken Colburn of the Data Doctors.
That’s because in order to be compromised, users must connect to a hacker’s rigged Wi-Fi set up to take advantage of anyone who signs on. Secondly, when connected to that Wi-Fi, the user must be in the process of updating the language of his phone at the moment that hackers are attempting to access it, Colburn says.
SwiftKey is keyboard software that learns from previous typing to offer suggestions, and offers users the opportunity to quickly slide on a touch screen from letter to to letter, rather than lifting their fingers.
Since the keyboard is integral to most of a phone’s functions, according to Mashable “an attacker can secretly install malware on a user’s device, access the device’s camera, microphone and GPS, eavesdrop on calls and messages, change the way other apps behave and even steal photos and text messages.”
The potentially-at-risk SwiftKey keyboard software that’s part of the operating system differs from the SwiftKey mobile app, which is available for download from Google Play and the Apple App Store.
“SwiftKey is a very popular app on any phone. Anyone that has that does not need to freak out. The SwiftKey app itself isn’t vulnerable to this particular situation,” he says to abate concerns of SwiftKey users who do not own Samsung phones.
The list of potentially vulnerable devices includes Samsung Galaxy S6, S5, S4 and S4 mini.
The security firm says it notified Samsung of the vulnerability in December 2014. NowSecure is suggesting users avoid unsecured Wi-Fi networks.
Colburn suggests keeping things in perspective.
“Samsung and the various cellular providers will be patching the hole at some point, but for now, there is nothing users can or need to do to protect themselves.”
In a statement to WTOP after this story was published, a Samsung representative said:
“ (As of June 16 when the issue was first publicly reported in Korea) The likelihood of making a successful attack, exploiting this vulnerability is low. There have been no reported customer cases of Galaxy devices being compromised through these keyboard updates.
But as the reports indicate, the risk does exist and Samsung will roll out a security policy update in the coming days.
This vulnerability, as noted by the researchers, requires a very specific set of conditions for a hacker to be able to exploit a device this way. This includes the user and the hacker physically being on the same unprotected network while downloading a language update. Also, on a KNOX-protected device there are additional capabilities in place such as real-time kernel protection to prevent a malicious attack from being effective.”