Ryan Welton, security researcher from security firm NowSecure, had demonstrated the exploit at the recent Black Hat Security Conference held in London. The security vulnerability arises from SwiftKey keyboard that comes pre-installed on a number of Samsung devices. The keyboard which cannot be disabled or uninstalled allows hackers easy access to users' devices.
The vulnerability is in the update mechanism for a Samsung-customized version of SwiftKey, available on the Samsung Galaxy S6, S5, and several other Galaxy models. When downloading updates, the Samsung devices don't encrypt the executable file, making it possible for attackers in a position to modify upstream traffic, such as those on the same Wi-Fi network, to replace the legitimate file with a malicious payload.
On the conference researcher demonstrate the exploit and mention the flaw leads attacker perform various task, which are -
- Access sensors and resources like GPS, camera and microphone.
- Secretly install malicious app(s) without the user knowing.
- Tamper with how other apps work or how the phone works.
- Eavesdrop on incoming/outgoing messages or voice calls.
- Give attempt to access sensitive personal data like pictures and text messages.
Not using Swift keyboard ? Still you are Vulnerable.
Most weird thing so that, users who are not using the Swift keyboard as a default then also the exploit is still possible. The attack is also possible whether or not a legitimate keyboard update is available.
Security firm, NowSecure had reported the security issue to Samsung in November 2014. However Samsung reportedly gave a patch to mobile operators across the world, it is unclear if carriers have passed the fix to all users.