Updated: Preinstalled SwiftKey app can own some Samsung phones

Mobile security company NowSecure has reported a vulnerability in the SwiftKey keyboard app preinstalled on some Samsung phones, which could allow an attacker to perform privileged remote code execution. That roughly translates to "anything goes," and NowSecure claims that over 600 million devices may be impacted.

The bug affects the Samsung Galaxy S4, S5, and S6 handset lines. Only US carrier versions are listed, but it's possible that versions around the world are similarly affected. Adding insult to injury, the app in question can't be uninstalled or even disabled by users—all they can do is wait for a carrier-issued patch.

NowSecure claims to have informed Samsung of the bug in December 2014. Samsung apparently began to issue patches to carriers early this year, but it's unclear how many devices have gotten the fix. NowSecure has also informed the Android security team of the vulnerability. US-CERT has assigned CVE-2015-2865 to this bug, and the details of the vulnerability have already been published on NowSecure's technical blog.

In the meantime, NowSecure recommends that owners of affected devices switch to a different phone, avoid insecure wireless networks, and contact their carriers for information on a patch.

Update, June 16th at 1:39 PM: SwiftKey reached out to us with a statement, quoted below.

We’ve seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.

Comments closed
    • entropy13
    • 4 years ago

    I think it’s still model dependent. My S6 is SM-G920F, and it doesn’t come with SwiftKey pre-installed, only the likes of Skype, OneDrive, and weirdly, Instagram (never used, but I update it nonetheless, pressing update all is easier than selecting update for each).

    I had to get SwiftKey from the Play Store.

      • qasdfdsaq
      • 4 years ago

      You are probably vulnerable. You don’t have to “get” SwiftKey, it’s preinstalled on your phone. Except, you probably missed it because it’s been renamed to the Samsung stock keyboard.

      The vulnerability has nothing to do with the SwiftKey app. It’s Samsung’s built-in keyboard that has the vulnerability, and that keyboard is built on the Swiftkey SDK.

        • entropy13
        • 4 years ago

        Yeah reading up said that it’s the stock keyboard actually. Which I never use.

    • Anovoca
    • 4 years ago

    I’m still not sure why swiftkey uses a QWERTY configuration for swype. Seems a radial key layout would be faster and eliminate misinterpretations in keystrokes.

      • ludi
      • 4 years ago

      Maybe for the same reason the Dvorak keyboard never went mainstream: once people learn the QWERTY layout, it’s impossible to find the letters anywhere else. I have a Garmin GPS, and a labelmaker, that display letters in alphabetical order. It takes me twice as long to actually find the letters.

    • ludi
    • 4 years ago

    Too late for Swiftkey hackers. My phone was owned by Samsung in collaboration with Verizon.

    • just brew it!
    • 4 years ago

    Sounds like Samsung is having a really bad day…

      • funko
      • 4 years ago

      Samsung electronics, maybe… but Samsung as a whole won’t feel it one bit. [url<]https://www.youtube.com/watch?v=6Afpey7Eldo[/url<]

        • just brew it!
        • 4 years ago

        Well, there’s the ongoing SSD firmware mess too (as mentioned in another front page story). Yes, I guess it’s still just a drop in the bucket for a mega-corp, but if they keep racking up bumps and bruises their brand image will take a hit.

    • trackerben
    • 4 years ago

    Get an iPhone or WinPhone and stick with the default keyboards, and you can’t go as wrong.

    • NeelyCam
    • 4 years ago

    Great. I bet AT&T patches this in about a year.

    Maybe I should switch to using that Zenfone 2. In my quick initial testing, web browsing is significantly faster than with S5

    • derFunkenstein
    • 4 years ago

    600 million devices, but only US carrier branded. That doesn’t add up. Gotta be model-wide, world-wide devices. Yikes.

    • esc_in_ks
    • 4 years ago

    Just when I think software security has hit a new low, now the freaking keyboard app is even completely insecure.

    Trust nothing, trust no one!

    • Beelzebubba9
    • 4 years ago

    Man I have never had such a love/hate relationship with a phone like I do with the S6. I love the hardware, but Samsung really needs to stop making software.

      • Deanjo
      • 4 years ago

      [quote<]but Samsung really needs to stop making software.[/quote<] And SSD's as well apparently.

        • Beelzebubba9
        • 4 years ago

        [quote=”Deanjo”<]And SSD's as well apparently.[/quote<] Ask me how my 840 Evo is doing*. *poorly

          • Deanjo
          • 4 years ago

          Fortunately the Samsung build SSD’s in the Macs are seemingly unaffected and the read/write speeds are consistent throughout their age nor do they seem to have any firmware issues.

            • Beelzebubba9
            • 4 years ago

            IIRC Apple doesn’t use Samsung’s TLC units which (until today wit the 850 Pro TRIM issue) were the only ones badly effected?

            Pretty sure my rMBP has a PM841 which I thought was the m.2 version of the 840 Pro?

            • Deanjo
            • 4 years ago

            IIRC its a XP941 derivative (custom Apple firmware) in the rMBP. The PM841 utilizes a SATA controller and the XP941 is a pure PCI-e interface.

            • Beelzebubba9
            • 4 years ago

            The 2015 models use an XP941 derivative, but I have a 2013.

            • Deanjo
            • 4 years ago

            The 2014’s use a XP941 (such as mine), the 2015’s use a SM941.

      • southrncomfortjm
      • 4 years ago

      I feel you on that, but this is a Swiftkey bug, not a piece of Samsung software.

      I’m over Samsung though. In their race to add every feature to every device, they don’t really have tight quality control.

        • Beelzebubba9
        • 4 years ago

        Yeah my issue is more that it can’t be uninstalled and the carriers control the patches. This isn’t the reason I dislike their software, it just adds to the hatepile I’ve been accumulating.

          • qasdfdsaq
          • 4 years ago

          One of the many advantages of rooting your phone – you CAN uninstall it as root.

        • qasdfdsaq
        • 4 years ago

        The vulnerability wouldn’t be there if Samsung hadn’t signed the software themselves and preinstalled it to run with a privileged system account. Samsung explicitly gave the application more permissions than it needs, and THAT is the problem here.

Pin It on Pinterest

Share This