The default keyboard on a number of Samsung smartphones could be leaving some 600 million devices open to attack, a new report claims.
It has been suggested that the update mechanism on the company’s built-in Android keyboard has a vulnerability that is exposed when it updates – either daily or weekly – to look for language updates and trending phrases.
Security company NowSecure has suggested that the vulnerability could be utilised by would-be hackers to access users’ text messages, eavesdrop on your conversations by activating the microphone, install apps and access the camera.
“The keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user, which is a notch short of being root,” NowSecure researcher Ryan Welton told the Guardian.
He added: “Unfortunately, the flawed keyboard app can’t be uninstalled or disabled.”
With NowSecure having alerted Samsung to the issue back in December, the Korean manufacturer is said to have asked the security firm to keep the threat under wraps until it had been able to create a fix.
Installed on every Galaxy branded smartphone, the IME keyboard is built around third-party manufacturer SwiftKey’s technologies.
Although the risks are severe, it doesn’t appear that the vulnerability is easy to exploit, with hopeful hackers needing to be on the same compromised Wi-Fi network as your device in order to sneak their way into your device.
"The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device,” an official SwiftKey comment stated.
"This access is only possible if the user's keyboard is conducting a language update at that specific time, while connected to the compromised network."
Looking to distance themselves from the issue, the keyboard specialist added: "We supply Samsung with the core technology that powers the word predictions in their keyboard. It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability.
"We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue."
Related: Samsung Galaxy S7 release date
With the issue troubling devices such as the Samsung Galaxy S6 and Samsung Galaxy Note 4, an official Samsung spokesperson stated: “Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security.”