Swiftkey Poses Hack Threat To 600m Samsung Phones

A critical vulnerability that can be easily exploited by hackers has been found in a native app shipped with millions of Samsung smartphones.

That was the warning from NowSecure, which revealed that over 600 million Samsung smartphones are at risk from the flaw in messaging app SwiftKey.

The app, which is designed to help users to type without mistakes using autocorrect, comes pre-loaded on Samsung devices, and cannot be uninstalled from the smartphone.

At risk

The vulnerability, discovered by Ryan Welton, mobile security specialist at NowSecure, could allow an attacker to remotely execute code as a privileged (system) user, and affects models including the Samsung Galaxy S6, S5, S4 and S4 mini.

First detected last year, NowSecure notified Samsung and the Google Android security team of the vulnerability last December, with the former issuing a patch to mobile network operators in early 2015.

However it is unknown if the carriers have provided the patch to the devices on their network, meaning its is hard to determine how many users remain vulnerable.

Welton wrote a blog in which he revealed that the pre-installed SwiftKey app can be tricked to download language pack updates in plain text over a compromised network connection. A hacker could therefore disguise malicious code as a language pack that is then injected to take control of the smartphone.

“The attack vector for this vulnerability requires an attacker capable of modifying upstream traffic,” said the blog posting. “The vulnerability is triggered automatically (no human interaction) on reboot as well as randomly when the application decides to update. This can include geographically proximate attacks such as rogue Wi-Fi access points or cellular base stations, or attacks from local users on a network, including ARP poisoning. Fully remote attacks are also feasible via DNS Hijacking, packet injection, a rogue router or ISP, etc.”

“The Swift keyboard comes pre-installed on Samsung devices and cannot be disabled or uninstalled. Even when it is not used as the default keyboard, it can still be exploited,” it said.

No Easy Fix

The hacker could remotely access smartphone sensors and resources like GPS, camera and indeed the microphone. They could also secretly install malicious app(s) without the user being aware. In addition, the hackers could also tamper with how other apps work or how the phone works, and can eavesdrop on incoming/outgoing messages or voice calls. They could also access sensitive personal data like pictures and text messages.

So what to do?

Well Welton advises that because the flawed keyboard app can’t be uninstalled or disabled, and that it is not easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update, the options are fairly limited. He advised users to avoid insecure Wi-Fi networks, use a different mobile device and contact their carrier for patch information and timing.

Users could also try use Google Keyboard or a third party keyboard app in the meantime, although this will not remove the vulnerability.

It should be noted that only the pre-installed SwiftKey app is vulnerable, not the ones from Google Play Store or Apple iOS Store. But installing the app from the Play store will NOT remove the vulnerability of the pre-installed version apparently.

Because of its open nature and massive popularity, the Android OS is often regarded as one of the most insecure mobile operating systems at present. Over the years, there have numerous flaws discovered with the mobile OS.

SwiftKey Statement

SwiftKey got in touch with TechweekEurope to reiterate that the vulnerability found by NowSecure does NOT affect the SwiftKey consumer apps on Google Play and the Apple App Store.

“We supply Samsung with the core technology that powers the word predictions in their keyboard,” said the company in a statement. “It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue.”

“The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device,” said SwiftKey. “This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”

“For clarity, this issue does not affect SwiftKey’s consumer keyboard applications on Google Play or the Apple App Store, and we are absolutely committed to maintaining world-class standards in security and privacy practices for our users,” said the company.

How much do you know about hacking? Take our quiz!

Think you know all there is to know about the world’s most famous hackers? Find out with our quiz!

Are you a smartphone know-it-all? Try our quiz!

Want all the latest tech security news? Sign up for our free newsletter!