Mobile security company NowSecure has reported a vulnerability in the SwiftKey keyboard app preinstalled on some Samsung phones, which could allow an attacker to perform privileged remote code execution. That roughly translates to "anything goes," and NowSecure claims that over 600 million devices may be impacted.
The bug affects the Samsung Galaxy S4, S5, and S6 handset lines. Only US carrier versions are listed, but it's possible that versions around the world are similarly affected. Adding insult to injury, the app in question can't be uninstalled or even disabled by users—all they can do is wait for a carrier-issued patch.
NowSecure claims to have informed Samsung of the bug in December 2014. Samsung apparently began to issue patches to carriers early this year, but it's unclear how many devices have gotten the fix. NowSecure has also informed the Android security team of the vulnerability. US-CERT has assigned CVE-2015-2865 to this bug, and the details of the vulnerability have already been published on NowSecure's technical blog.
In the meantime, NowSecure recommends that owners of affected devices switch to a different phone, avoid insecure wireless networks, and contact their carriers for information on a patch.
Update, June 16th at 1:39 PM: SwiftKey reached out to us with a statement, quoted below.
We’ve seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.
|Razer Electra V2 offers affordable immersion||0|
|Samsung 360 Round camera captures the world from all angles||7|
|National Seafood Bisque Day Shortbread||5|
|MSI GS63 Stealth laptop flies under the radar with a GTX 1050||5|
|Zotac GTX 1080 Ti ArcticStorm Mini proves that size doesn't matter||26|
|Aorus X9 packs two GTX 1070s in a slim chassis||14|
|ROG Strix X370-I and B350-I are itty-bitty boards for Ryzen builds||15|
|Qualcomm shows progress on 5G mobile broadband||21|
|Samsung foundry train stops at 8-nm LPP before heading to EUV||26|