According to the latest reports disclosed at the Black Hat Conference held in London on Tuesday, Samsung Galaxy models starting from S4 through S6 are at high risk of experiencing hacking activities due to a bug in the devices’ keyboard software.
According to researchers of cybersecurity firm NowSecure, the security flaw leaves Samsung Galaxy users vulnerable to extreme security threats, making it possible for hackers to remotely gain full control over the camera, microphone and GPS of the mobile device.
The same bug can give hackers direct access to text messages and any other data stored in the device. It can allow eavesdropping on any call or downloading malicious apps without any knowledge of the user.
As zeroed in, the root of the problem lies in the default virtual keyboard software updater of Samsung. This updater is actually a customized version of the word-prediction technology of SwiftKey, but the flaw lies within Samsung’s own code as SwiftKey-based keyboard of Android devices from other manufacturers are unaffected.
The default keyboard software of Samsung Galaxy regularly checks for updates on its language pack, and if it is connected to a malicious network, the hacker can easily substitute the update file for a malicious program, making it possible to have access over the device. The keyboard is default to the system and automatically checks for updates, so even if the user uses another keyboard app, the threat remains.
The problem originated particularly due to two issues with the updater process. First of all, the keyboard update files of SwiftKey are not encrypted, which makes it vulnerable to be replaced by anything else. And secondly, Samsung phones grant extremely elevated privileges to the updates of its default programs, which make it possible for a malicious file to bypass even the built-in security of the Android operating system.
As reported by the Wall Street Journal, Andrew Hoog, CEO of NowSecure, warned Samsung about this flaw in the month of November last year. The manufacturer took its time and after three months claimed to roll out a fix through wireless carriers. However, soon after, researchers at NowSecure realized that the bug has not been patched and as already enough time had elapsed, they decided to go public with their discovery.
According to the latest statement from Samsung, the company is working on this security issue and will update a solution over the air through Samsung KNOX.