600mn Samsung devices face hacking risk due to keyboard app vulnerability

Reuters / Gustau Nacarino
Some 600 million users of Samsung mobiles devices are reportedly at risk due to a preinstalled app that can be exploited by hackers to take control of the devices. The app cannot be disabled, so it’s up to Samsung to fix the flaw.

SwiftKey is a keyboard app for mobile devices. One of its versions, SwiftKey IME, comes prepackaged with Samsung Galaxy phones. It cannot be uninstalled or disabled and remains active even if not used. And it also has high privileges in the system, allowing it to write files in a phone’s memory.

The app periodically prompts a server whether an update for it is available. A malicious party controlling the traffic, for example through an insecure Wi-Fi connection, can replace a proper server response with malicious code. It would then be executed once the hacked phone is rebooted, Ryan Welton, cybersecurity expert with NowSecure, has explained in a blog. The hacking process was demonstrated in a video.

The injected code can give a hacker pretty much unrestricted access to the phone, allowing him or her to tap its microphone and camera, install more malicious apps, steal personal data and eavesdrop on voice calls.

The vulnerability is based on how SwiftKey validates its updates, the report said. A manifest file that is supposed to prove that the update is valid is sent unencrypted and can be replaced with a fake one to trick the app into accepting the malicious file.

"These types of things are well within the capability of other organizations, and I think it's very naive to think other people haven’t found this or haven’t used this," NowSecure CEO Andrew Hoog told The Washington Post.

The company suggests that users should avoid insecure Wi-Fi networks to protect themselves from this hack, the expert suggested. However there are other ways to take control of a phone’s traffic, he added, so patching the flaw is needed anyway.

SwiftKey said it was aware of the report and that the versions of its app provided through Google Play as opposed to being preinstalled on Samsung Galaxy phones was free from the vulnerability.

Samsung said it would roll out an update to security policy of the phones and is working with SwiftKey to “address potential risks going forward.”

“Samsung KNOX has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue,” Samsung said in a statement. “The security policy updates will begin rolling out in a few days.”