Potentially 600m Samsung Galaxy phones are at risk of malicious compromise after a new exploit was discovered by a security researcher.
The vulnerability is down to the way in which SwiftKey keyboard app updates – it periodically queries a server to check if new updates exist. However, the process is conducted in the clear, and the downloaded executable file isn’t encrypted, meaning that a man-in-the-middle technique can spoof the update server, then send a malicious file to the device. The file could turn the device into a bug, by taking control of the camera and microphones, install other malware apps, and steal data.
Furthermore, because Samsung phones grant elevated privileges to update code, a payload delivered in this way bypasses many of the Android system protections designed to minimise the access that third-party apps have to the device.
Samsung pre-installs many Galaxy phones with their own version of SwiftKey, called Samsung IME, thus opening up the number of phones potentially affected. Ars Technica reports that SwiftKey has responded to the security issue, saying: “We’ve seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”
The exploit was demonstrated at the Blackhat security conference in London by Ryan Welton, a researcher with security firm NowSecure.
Security blog TechWorm reports that Welton claims to have discovered the bug late last year and alerted Samsung and the Google’s Android security team. In spite of Samsung fixing the bug via a security patch, Welton believes that not all networks have distributed the patch to all devices. What happens to unlocked devices – which rely on patches direct from Samsung – is not clear.
TechWorm quotes NowSecure: “We can confirm that we have found the flaw still unpatched on the Galaxy S6 for the Verizon and Sprint networks, in off the shelf tests we did over the past couple of days.”
by Karl Thomas, ESET