There’s a security hole in Samsung’s default keyboard app for the Galaxy S6. The customised version of Swiftkey that the phone ships with in Australia doesn’t update itself securely, and that means a talented hacker could, under very specific circumstances, run malicious code on your smartphone. Samsung is working on the fix, but isn’t talking about why it has already taken several months.
Security researchers NowSecure found the potential for a remote code execution on Samsung’s Galaxy S6 handset in security testing. The issue stems from the fact that the Samsung-modified version of the popular Swiftkey keyboard, installed as a default system app, runs its updates as a system user — a highly privileged user account status one step short of root.
When requesting a different language pack for the keyboard, the keyboard app sends a request in the open to a Web address on Swiftkey’s servers. On a compromised Wi-Fi network, there’s the potential for a malicious user to spoof that address and download files to a Samsung smartphone, which will then be unpacked and unloaded into the phone’s file system with high-access system user privileges — potentially causing damage under these extremely specific circumstances. It’s extremely unlikely that this confluence of events would ever occur in the wild, but it’s a security risk nonetheless.
Responding to enquiries from both News Corp and Fairfax Media, Samsung Australia issued a short statement on the matter:
Samsung Electronics Australia takes security threats very seriously. We are committed to providing the latest mobile security and we are working quickly to investigate and resolve the matter. We will provide further information as it becomes available.
So there’s a fix in the works, but no real details are available as to when it’ll be available. Droid-Life suggests the fix is “a few days” away according to a Samsung spokesperson internationally.
The keyboard can’t be uninstalled or even disabled, and the issue continues to exist even if you’re using another keyboard like Fleksy or even standard Swiftkey from the Google Play Store. Because of that, it’s a persistent security risk until the hole is plugged.
Here’s what Samsung said to Droid-Life, along very similar lines as the previous statement:
Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security. Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with Swiftkey to address potential risks going forward.
Until a fix is issued, we’d suggest you stay away from unsecured or unfamiliar Wi-Fi networks. [NowSecure]