Around 600 million Samsung Galaxy devices are at high risk due to a pre-installed app, that can be exploited by Hackers to take complete control of the device.
More to that, you can’t even uninstall this application. Now, you are on the mercy of Samsung to fix this flaw.
The well known SwiftKey app which is a keyboard app for mobile devices, its SwiftKey IME version, comes prepackaged with Samsung Galaxy phones. This app has high privileges in the system, allowing it to write files in phone memory and allow anyone to spy on you using a Samsung Galaxy phone.
Ryan Welton, mobile security specialist at NowSecure, found that the pre-installed SwiftKey app can be tricked to download malicious code, in the name of language pack to take control of the smartphone. And SwiftKey allows access to Account details, SMS, Photos, Media Files, content stored on USB storage, Wifi and other.
Ryan also shared an Youtube video, demonstrating the hack.
NowSecure informed this issue to Samsung in December’14. And due to magnitude of the issue, NowSecure notified CERT who assigned CVE-2015-2865, and also informed the Google Android security team. And has advised Samsung Galaxy users to avoid insecure Wi-Fi, ditch their phones until an official patch is released.
According to a British Firm, this hack isn’t easy to pull off. It involves particular timing. A hacker can only sneak into a device when the keyboard software is applying a software update.
For now, only the pre-installed SwiftKey app is vulnerable, not the ones from Google Play Store or Apple iOS Store.
As per SwiftKey, it only found out about the flaw on Tuesday. SwiftKey said “the way this technology was integrated on Samsung devices introduced the security vulnerability.”
In a statement to reporters, Samsung said it “takes emerging security threats very seriously… and [is] committed to providing the latest in mobile security.”
The company also said it’s about to patch the issue through its Samsung KNOX service. “Updates will begin rolling out in a few days,” the company said, although it’s unclear whether all devices will receive the fix.