Major security flaw may affect 600M Samsung smartphones

Flaw in pre-installed keyboard software could allow hackers to eavesdrop on users' calls and damage handsets, a security company discovers.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

The Samsung Galaxy S6 is among several handsets vulnerable to hijacking, a security firm warns. CNET

Millions of Samsung Galaxy smartphone owners may be at risk of eavesdropping of calls, theft of data and installation of malware -- and there isn't much they can do about it.

The flaw is found in Swiftkey keyboard software preinstalled on 600 million of the South Korean electronics giant's smartphones, mobile security company NowSecure said Wednesday. Affected users are powerless to address the vulnerability because they cannot uninstall the software.

Affected devices include the recently released Galaxy S6, as well as the S5, S4, and S4 Mini on all major carriers, NowSecure said.

Samsung said it will release a fix for the problem in the next few days, accessible through its service Samsung Knox. It will come in the form of a security policy update that can be downloaded onto the phones.

"Samsung takes emerging security threats very seriously," Samsung said in a statement. "In addition to the security policy update, we are also working with Swiftkey to address potential risks going forward."

Consumers can be forgiven for feeling whipsawed by security flaws and breaches that compromise their data held by retailers and banks and now on the mobile devices they use. Target in 2013 reported 40 million people had their credit card numbers stolen from its point of sale terminals, and followed up that report with news that another hack got the names, email addresses and phone numbers of 70 million customers. JPMorgan Chase, the largest bank in the country, reported last year that 76 million households and 7 million small businesses had their account information stolen. And on Monday, password manager service LastPass announced hackers had stolen the email addresses and master password clues of its users.

NowSecure said Samsung was notified in December 2014 of the problem.

"While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network," NowSecure said in its report. All of the phones either have no patch available or the status of the patch is unknown, according to the list.

The phones are vulnerable to attack from a variety of fronts, according to NowSecure's technical analysis of the flaw. A less sophisticated hacker who's nearby a phone might gain access through unsecured Wi-Fi connections. Or a serious attacker could use a more involved approach to gain access from much farther away, according to NowSecure.

As a result, the flaw would appear to be a pervasive and serious problem until fixed.

"To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing," NowSecure said in its report.

However, some security professionals noted that an attack might have limited returns for hackers.

"It appears there needs to be a lot of things in place for this to work properly," Nathan Collier, senior malware intelligence analyst at Malwarebytes Labs, said in an email about NowSecure's description of how an intruder could break into a phone.

Noting that he didn't expect to see anyone carrying out such an attack, Collier said it wasn't the typical route taken by people trying to take over computers and devices.

"Malware authors are looking for big returns using the path of least resistance, and having to write code for several different phone models is quite tedious. Samsung is aware of the issue. Hopefully they will be providing a patch for their customers shortly."