Skip to main content

Samsung Keyboard Bug

Samsung Keyboard Bug Leaves 600m Android Devices Exposed to Hackers










A vulnerability in Samsung's Android keyboard installed on over 600m devices worldwide could allow hackers to take full control of the smartphone or tablet.
 
The security bug revolves around the update mechanism of the built-in keyboard, which looks for language updates for trending phrases either daily or weekly.
 
"The keyboard was signed with Samsung's private signing key and runs in one of the most privileged contexts on the device, system user, which is a notch short of being root," said researcher Ryan Welton from security company NowSecure who discovered the hole.
 
The problem was discovered last year. NowSecure told Samsung about the bug in December. Samsung asked NowSecure to keep the discovery under wraps until it could patch the problem. Google's Android security team was also notified.
 
However, six months on it is unclear whether the patch is out. Samsung started that process in early 2015, but unlike Apple's direct model of software updates, is beholden to mobile phone providers to push out updates to their users.
It is unclear whether that has happened and on what scale users have updated their devices.

Users stuck even if they install another keyboard

"Unfortunately, the flawed keyboard app can't be uninstalled or disabled," said Welton. "It isn't easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update."
 
The problem surrounds Samsung's integration of Swiftkey's underlying keyboard engine into its own keyboard software. Swiftkey essentially provides the brains for detecting what a user is trying to type and Samsung does the rest producing the completed keyboard and pre-installing it on its devices.
 
The Guardian understands that the fault lies within Samsung's code. SwiftKey-based keyboards on other Android devices from other manufacturers, and SwiftKey's apps from the Google Play Store or for the iPhone are unaffected .
 
If the Samsung Android device is connected to a malicious Wi-Fi network when the keyboard attempts to update its trending phrases and language pack, a hacker could substitute the update for a backdoor into the phone giving a hacker almost complete access to the phone.
 
According to NowSecure a hacker could remotely access a smartphone's sensors, such as GPS, the camera or microphone, eavesdrop on calls or attack sensitive personal data.
 
"Unfortunately, we were only made aware of the issue on Tuesday," said Joe Braid, chief marketing officer of SwiftKey. "We are working as hard as possible to support Samsung and help it fix the issue."
 
Simply installing another third-party keyboard, including SwiftKey's full keyboard does not fix the issue, as the Samsung keyboard continues to run in the background.
 
"There isn't a whole lot you can do except try to steer clear of networks you don't trust, where a crook might try to intercept and hack your traffic," said Paul Ducklin from security company Sophos . "The silver lining, if that's not too strong a way to describe it, is that a crook can't exploit this hole just whenever he likes: you have to be on his dodgy network when a [keyboard] update happens, and he has to notice in time to jump in as a man-in-the-middle."
 
The number of Samsung devices affected is extensive, but includes the latest Samsung Galaxy S models, including the Galaxy S6, S5 and S4.

Stay connected for more latest updates...

Comments

Popular posts from this blog

Voice Calling Test

Which voice calling app uses the most data per minute? We tested the top 10 Free voice call apps, which use data to place calls, can offer a cheaper way to keep in contact with friends abroad and come to the rescue when you’ve used up your monthly minute quota. However, with multi-gigabyte data plans still often coming at a premium price, the busiest chatters out there could soon eat into their monthly allowance using voice over data calls. To shed some light on the issue, we’ve gone back over our list of  10 free call apps  to investigate just how much data these apps end up consuming. In the list you’ll find popular apps such as Hangouts, Skype, WhatApp and Viber, as well as regional favourites including Line and Nimbuzz. The test method For our test, we subjected each of these 10 apps to three separate one minute calls and recorded the amount of data used by the app after each call. These three totals were then averaged together to produce the result. Bo...

Microsoft Aims To Kill Google Chromebooks

Microsoft Aims To Kill Google Chromebooks With $149 Windows 10 Laptops Despite a lacklustre start, Chromebooks are becoming relatively popular in the super-budget end of the portable market. This has worried Microsoft for some time. After all, with a Google-centric experience, not to mention an operating system in the form of Chrome OS, there’s little if anything to be gained here by Microsoft and everything to lose. That’s why it’s targeting the Chromebook specifically, with a most likely Windows 10-based  $149 laptop. They’re no MacBook killers and don’t expect them to play GTA V, though  (when it finally makes a PC appearance that is). According to tech rumour site www.Digitimes.com , these laptops are geared primarily towards emerging markets, education and the super-low end market, which includes users whose tasks are limited to web browsing, word processing and social media use. The Chromebook has gained traction in quite a few areas and Micros...

Spartan Vs. Rest!!

Spartan For many, it’s not exactly a confidence booster that Microsoft’s forthcoming new browser will be a “Windows App,” rather than a traditional desktop application. It sports the characteristic borderless frames and blockily minimalist aesthetic, and the overall impression is of a stripped-down, simplified version of IE, according to an initial appreciation by Network World’s Howard Wen. ( "First Look: Microsoft's new Spartan browser for Windows 10" ) But, in a lot of ways, that’s probably a good thing – Chrome’s got a very similar look and feel, and it’s doing pretty well for itself. Spartan appears as a Windows app Chrome So what about the browser Spartan’s trying to knock off of its perch? Chrome’s still got major advantages over the rest of the field, including a perceived performance edge, simple and elegant design, and tight integration with Google’s wildly popular web services like Gmail. Simplicity is key for Chrome For the moment, those features...