A vulnerability in the keyboards of recent Samsung smartphones – including the Galaxy S5 and S6 – has left hundreds of millions of handsets open to hackers who could gain remote access to the camera, microphone and inbox.
Discovered by Ryan Welton, a mobile security researcher at NowSecure, the flaw relates to how Samsung phones update the software powering their on-screen keyboards, provided by SwiftKey. Welton claims up to 600 million handsets are vulnerable.
Hackers connected to the same Wi-Fi network as the flawed phones can tap into a software update and gain access to the GPS, camera and microphone, install malicious applications without the user noticing and even eavesdrop on calls and read text messages.
Welton found that, once he had injected software into a target handset through a public Wi-Fi network – known as a 'man-in-the-middle' attack – he could monitor the device from afar and away from the hotspot.
SwiftKey comes pre-installed on many Samsung devices and cannot be disabled or removed – an alternative keyboard can be used, but even then the phone will still receive updates to its SwiftKey keyboard. Vulnerable handsets include the Samsung Galaxy S4 and S4 Mini, the Galaxy S5 and the Galaxy S6. Phones on US networks including T-Mobile, Sprint, AT&T and Verizon are all affected.
Samsung was alerted to the problem in November 2014. While it has offered a patch to fix this, it was only issued in early 2015, a year after the S5 went on sale and two years after the S4.
An additional problems comes with how patches are not always passed from networks to their customers quickly, sometimes taking up to a year for updates to arrive in their hands. As of press time, the Galaxy S6 on Verizon and Sprint has not received the patch, and neither has the Galaxy S5 on T-Mobile nor the S4 Mini on AT&T.
SwiftKey advises versions of its keyboard downloaded to other Android handsets and iPhones are not affected by the flaw. In a statement sent to several publications, the company said: "We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further."
Samsung has told IBTimes UK that it will be issuing a statement on the matter soon. We will update this story when we receive it.