New Exploit Leaves Up To 600M Samsung Galaxy Phones Vulnerable To Hack

Bad news for up to 600 million Samsung Galaxy phone owners worldwide: a big fat new vulnerability has been found that could let anyone with the inclination to cause trouble into your phone to read your messages, listen to your mic, watch your camera, and push malware at you. Oops.

The exploit is in Samsung’s keyboard, Ars Technica reports.

The keyboard is, of course, software and the phones come with a Samsung proprietary version of SwiftKey, the Samsung IME Keyboard, pre-installed. And like any other piece of software on the phone, the keyboard occasionally needs to be updated. So far so good.

So every so often, the phones query a particular server to see if there are updates available for the keyboard or for its language packs. However, any attacker can impersonate the server, sending back not just updates but also malicious code. Which Android, left to its own devices, might be able to catch — but Samsung grants their own updates way more privileges than other software might get, and so anything bundled in that keyboard update can just waltz right in and install itself.

The researcher who found the exploit confirmed its presence on Verizon and Sprint Galaxy S6 phones, T-Mobile Galaxy S5 phones, and the Galaxy S4 Mini on AT&T. (That vulnerabilities in other Galaxy models or the same models on other carriers have not been confirmed doesn’t mean those phones are in the clear, just that they have not yet been tested one way or the other.) The problem is specific to the Samsung custom version of the app, and not to the SwiftKey app that users (of any phone) can get from Apple’s App Store or Google Play.

Ars explains the technical details, but the short version is that at the moment, there’s not much that owners of vulnerable phones can do. Even if you use a custom app instead of the default Samsung keyboard, it’s still on the phone and therefore still vulnerable.

There is no way to uninstall the problem app, and while Ars recommends staying off of unsecured wifi networks (always good advice), that still wouldn’t prevent someone from using a variety of techniques to impersonate the update server.

Samsung has reportedly issued a patch to wireless providers, but it’s anyone’s guess when that will actually find its way to the millions of device owners out there.


New exploit turns Samsung Galaxy phones into remote bugging devices
[Ars Technica]