Mobile security company NowSecure has reported a vulnerability in the SwiftKey keyboard app preinstalled on some Samsung phones, which could allow an attacker to perform privileged remote code execution. That roughly translates to "anything goes," and NowSecure claims that over 600 million devices may be impacted.
The bug affects the Samsung Galaxy S4, S5, and S6 handset lines. Only US carrier versions are listed, but it's possible that versions around the world are similarly affected. Adding insult to injury, the app in question can't be uninstalled or even disabled by users—all they can do is wait for a carrier-issued patch.
NowSecure claims to have informed Samsung of the bug in December 2014. Samsung apparently began to issue patches to carriers early this year, but it's unclear how many devices have gotten the fix. NowSecure has also informed the Android security team of the vulnerability. US-CERT has assigned CVE-2015-2865 to this bug, and the details of the vulnerability have already been published on NowSecure's technical blog.
In the meantime, NowSecure recommends that owners of affected devices switch to a different phone, avoid insecure wireless networks, and contact their carriers for information on a patch.
Update, June 16th at 1:39 PM: SwiftKey reached out to us with a statement, quoted below.
We’ve seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.