Keyboard app bug puts millions of Samsung mobile users at risk, researcher claims

A vulnerability in the Swift keyboard, which comes pre-installed on Samsung mobile devices, can be exploited by remote attackers to secretly install malicious apps, access the device’s camera and microphone and more, claims NowSecure security researcher Ryan Welton.

He also says that over 600 million Samsung mobile device users are at risk due to this flaw.

“It’s unfortunate but typical for OEMs and carriers to preinstall third-party applications to a device. In some cases these applications are run from a privileged context. This is the case with the Swift keyboard on Samsung,” he explained.

The vulnerability resides in the fact that when the app looks for and receives updates, it does so over an unencrypted connection. This can be exploited by an attacker capable of modifying upstream traffic to deliver malicious security updates.

“The vulnerability is triggered automatically (no human interaction) on reboot as well as randomly when the application decides to update,” Welton notes. “This can include geographically proximate attacks such as rogue Wi-Fi access points or cellular base stations, or attacks from local users on a network, including ARP poisoning. Fully remote attacks are also feasible via DNS Hijacking, packet injection, a rogue router or ISP, etc.

More technical details about the exploitation of the flaw can be found in this blog post.

Once the attacker exploits the bug to effectively gain system user privileges, he can leverage that access to tap into the GPS, camera and microphone, secretly install malicious apps, tamper with other apps or the phone, eavesdrop on messages or voice calls, and try to access and exfiltrate sensitive user data (contact data, pictures, etc.).

Samsung knowns about this bug. They have been appraised of it in late 2014, and have been providing patches to the various carriers since March 2015, the researcher says.

But not all carriers have rolled out the patches yet. According to NowSecure, Galaxy S6 devices on the Verizon and Sprint networks are still vulnerable, and so are Galaxy S devices on T-Mobile, and Galaxy S4 Mini on AT&T (a list of impacted devices by carrier with patch status can be found here).

“Unfortunately, the flawed keyboard app can’t be uninstalled. Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update,” the company noted, and advised users to avoid insecure Wi-Fi network as a way to mitigate the risk, or to use a different mobile device until the patch is made available by their carrier.

But Android Police’s David Ruddock contests the seriousness of the risk end users are exposed to due to this flaw. He says that it’s still unclear if newer devices can be fully affected by the exploit, as it was demonstrated on substantially older firmware.

“While there is no simple way to update the Samsung IME keyboard, this isn’t an easy flaw to exploit,” he noted. “An attack would be rather involved – essentially, a malicious party would have to have already deeply compromised the security of the network you’re on and use DNS hijacking or a similar man-in-the-middle exploit to redirect your phone to a fake language pack update that could then potentially inject your device with malicious code.”

The app also can’t be “tricked” into asking for a language pack update or forced into downloading a new one, he noted, and this makes the flaw “difficult to exploit reliably, let alone on any sort of scale.”

SwiftKey, the (partial) developers of the pre-installed keyboard app, have also confirmed that their SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability.