Vulnerability could put up to 600 million Samsung smartphones at risk
According to a report published by security specialist NowSecure, a vulnerability in the Swift keyboard software, pre-installed on Samsung devices, can allow a remote attacker to execute code on the user's phone as well as access functions like the microphone and camera.
Worse still there's no way to uninstall Swift and the flaw can be exploited even if you don't use the app. It affects leading Samsung smartphone models from the Galaxy S4 to the S6.
Samsung and the Google security team were notified in December 2014. Samsung began providing a patch to mobile network operators in early 2015, but it's not known if the carriers have rolled out the patch to devices on their networks. It's also difficult to determine how many mobile device users remain vulnerable, given the device models affected and the number of network operators globally.
It isn't easy for users to tell if their device has been patched either. NowSecure recommends avoiding connection to insecure Wi-Fi networks, contacting their service provider for patch details or even temporarily switching to a different mobile device.
Standalone SwiftKey apps on the Google Play and Apple App Stores are not affected by this flaw. A SwiftKey statement says, "We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue".
It goes on to say that the vulnerability is not easy to exploit and that users would need to be connected to a compromised network where hackers had the right tools available to attack their device.
More information including a list of affected Samsung models is available on the NowSecure website.