Over 600 Million Samsung Devices Vulnerable to Keyboard Security Risk

[Karamjit]

Android SwiftKey keyboard permits remote code execution

Mobile security researchers at NowSecure have identified a remote code execution vulnerability in SwiftKey, one of the preinstalled Android apps that comes with most of Samsung's devices.

If the name doesn't ring a bell, SwiftKey, or sometimes just Swift, is the on-screen keyboard everyone uses to write any type of text on Samsung's Android devices.

The vulnerability allows for remote code execution on Samsung devices

According to the security disclosure, this flaw in the SwiftKey app allows attackers to access sensors on the device, its camera, GPS, microphone, pictures, and even the text messages library.

The vulnerability also lets them install malicious apps without requiring the user's permission, alter existing apps, and even listen for incoming or outgoing messages and voice calls in real time.

Classified as CVE-2015-2865, the vulnerability was discovered last year when Samsung and the Android Security teams were also notified.

Patches have been available since early 2015

Patches to address this issue were released by Samsung to mobile operators in early 2015, but it's still unknown how many vulnerable devices were upgraded.

Since the Swift keyboard comes installed by default on all Samsung devices and cannot be uninstalled in any way or form, it is highly recommended that any person utilizing a Samsung device should get in contact with his carrier and inquire if the security patch was supplied.

In a statement on their official support forum, the SwiftKey team had the following to say: “We've seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”

From: http://news.softpedia.com/news/Over-600-Million-Samsung-Devices-Vulnerable-to-Keyboard-Security-Risk-484562.shtml

[Holmes]

I have a samsung galaxy SFive and I dont have swiftkey on my apps list and I have all the preinstalled apps that came with the phone (Im to lazy to remove them)..