As per a report from security firm NowSecure (via Forbes), a critical vulnerability in the SwiftKey keyboard app that comes preloaded on some Samsung’s Galaxy series could allow an attacker to remotely tap into GPS, camera and microphone, eavesdrop on text messages, calls and more.
During the Black Hat London presentation of Abusing Android Apps and Gaining Remote Code Execution, NowSecure mobile security researcher Ryan Welton said that over 600 million Samsung mobile devices are vulnerable to an attack that is highly reliable, completely silent, and affects all devices.
As explained by security firm, the default SwiftKey keyboard app can be used by a potential attacker to remotely execute code as a privileged user. What may bing a sigh if relief is that attackers will be able to hack a phone only if the handset is connected to an insecure Wi-Fi network.
Once done, hacker can gain access to GPS coordinates, the camera, or the microphone, installing malicious apps without the user’s knowledge, intercepting both messages and voice calls, or gaining access to the locally-stored files such as photos.
The security company says that the Android and iOS versions of the SwiftKey app available through the official app stores do not come with this vulnerability. This means that the security risk only affects Samsung smartphones that come with the app pre-installed.
NowSecure discovered the vulnerability last year, and informed Samsung of the flaw back in December 2014. Unfortunately, although the smartphone maker has allegedly issued a patch to carriers across the globe since the vulnerability was discovered, NowSecure claims that most carriers have yet to roll out the patch.
Given the magnitude of the issue, NowSecure notified CERT who assigned CVE-2015-2865, and also informed the Google Android security team.
Unfortunately, Swiftkey is set as a default application for Samsung Galaxy devices and cannot be uninstalled anyhow. Also, if you happen to not to use the application, you still fall into vulnerable zone.