Up to 600 million Samsung smartphones, including the latest model S6 and S6 Edge flagships, contain a security flaw which could allow hackers to listen to conversations, read texts or view photos on the phones.
The vulnerability, discovered by US security firm NowSecure, lies in the keyboard software, SwiftKey, which comes pre-installed on the latest Samsung smartphones.
NowSecure found malicious attackers could gain system user access via the keyboard software’s language pack update mechanism, which was unencrypted, and then run code on the device to do just about whatever they wanted.
This included accessing the camera, microphone, files including personal photographs, GPS data, and content of voice calls and text messages.
An attacker could also secretly install malicious apps, known as “malware”, NowSecure said.
As a result of the way the software was pre-installed, NowSecure said in a blog post, “… the keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user”.
“The vulnerability is triggered automatically (no human interaction) on reboot as well as randomly when the application decides to update [its language packs],” the company said.
This happened “periodically every few hours”, said Ryan Welton, the mobile security developer who discovered the flaw, in a comment.
Affected users can’t uninstall SwiftKey, either – and the risk remains even if they are using a downloaded keyboard app in place of the pre-installed one.
NowSecure said it notified Samsung of the problem in December last year and also notified the US Computer Emergency Readiness Team (CERT) and Google, which makes the Android operating system that runs on Samsung phones, among other brands.
Samsung issued patches to mobile phone operators beginning early this year, but it was hard to know whether carriers had actually passed the patches on to customers, NowSecure said.
It advised Samsung owners to avoid unsecured Wi-Fi networks, contact their mobile phone provider for further information, and use a different make of phone for the time being.
Australia’s three biggest phone service providers, Telstra, Optus and Vodafone, have each been contacted for comment, as has Samsung Australia.
Just weeks ago the Android operating system was found to contain another major vulnerability which left personal data stored on phones after they were “factory reset”, leaving data potentially exposed if the devices were passed on or sold second hand.