Researchers have found a vulnerability in the keyboard software that is installed on many Samsung smartphones. The vulnerability allows an attacker to execute malicious code with system rights on the phone. Samsung Galaxy S phones, including the S4 Mini, S4, S5 and S6 come by default with the affected Swiftkey keyboard installed.
The software runs with system privileges and regularly checks for updates. This check is performed over HTTP which means it is vulnerable to man-in-the-middle attacks. An attacker that is able to intercept the update checks and is able to inject a malicious update is able to execute any code on the phone with system rights. Even if the software is not actively used the vulnerability can be exploited, according to researchers of NowSecure. The researchers have published a webpage where users can check whether they are vulnerable or not.
According to the researchers more than 600 million Samsung smartphones contain the vulnerability.
The CERT Coordination Center of the Carnegie Mellon University states that the chance of becoming a victim of the attack (which depends on the number of update checks the software performs) is relatively small. In the meanwhile Samsung has released a firmware update for telecom providers. In case users haven’t received an over the air update already, they are advised to stay off untrusted , including open, Wifi networks.
Using untrusted networks increases the chance of becoming a victim of man-in-the-middle attacks, according to CERT.