“The keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user, which is a notch short of being root,” said researcher Ryan Welton from security company NowSecure who discovered the hole.
This exploit effects nearly 600 million Samsung phones across many carries, including the newest flagship Samsung Galaxy S6, Galaxy S5, Galaxy s4, Galaxy S4 mini etc. What’s worse, the SwiftKey cannot be disabled or uninstalled, even if you install the other keyboard programs. Samsung supposedly released an update to fix this bug in March, but Welton revealed that users are still at risk at the Black Hat Security Summit.
Any Feasible Solutions?
- Google announced a new Android Security Rewards program recently, which wil l pay users who report bugs, in that way, they will response quickly for any bugs like this.
- According to Samsung official, “Samsung takes emerging security threats very seriously, we are aware of the recent issue reported by media outlets and are dedicated to fixing the issue. ” We will need to wait for official fixes to be sent to the devices. The solutions will come either in the form of official Android updates or patches coming direct from Samsung.
- For Samsung users, Paul Ducklin from security company Sophos recommends that users should avoid the networks that user does not trust or recognize, and they should ask their carries if an update is available. A Virtual Private Network(VPN) may help, where all your network traffic is encrypted before it leaves your Samsung.
- Take good care of data stored on your Samsung. Backup the precious data on your Samsung, you can do that with backup app like android manager or manually copy them to computer. If by any chance that you lost some files due to the damn bug, you can get help from a Samsung Data Recovery tool to bring the lost data back.
- Meanwhile, I recommend holding off on the S6 and S6 edge, especially for BYOD. It doesn't make sense to use a buggy device that could cost you or your business time and money.
The Situation is Not That Bad
Keyboard security flaw impacting "600 Million+" Samsung phone is probably nothing to worry about. According the report from ZDnet, the app in question is not SwiftKey itself, but rather the Samsung IME keyboard that SwiftKey develops for Samsung.
“We’ve seen reports of a security issue related to the Samsung keyboard. We can confirm that the SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”
S8 Data Recovery - How to Recover Deleted Photos, Videos, Contacts, Messages, etc from Samsung Galaxy S8