A security flaw affecting the default keyboard in up to 600 million Samsung phones worldwide allows a remote attacker to access sensitive personal data and control the device.

The flaw is believed to affect several Samsung models, including the Samsung Galaxy S6. The researchers who discovered the vulnerability have created a website that you can visit to see if your phone is vulnerable. This list is not complete and other models may be affected.

According to researchers who demonstrated at a conference in London how the flaw could be exploited, an attacker could:

●      Access sensors and resources such as GPS, phone and camera

●      Install malicious applications without the user knowing

●      Tamper with the phone or applications

●      Eavesdrop on calls

●      Access pictures and text messages

The researchers state the attacker can manipulate the update mechanism for the SwiftKey keyboard, which comes pre-installed and cannot be disabled or uninstalled from Samsung devices. The vulnerability can still be exploited even if the device owner is not using the keyboard.

Staying safe
Samsung advised it would be rolling out a security policy update. In a statement issued in response to the reported vulnerability, Samsung said all ‘flagship’ models since the Samsung Galaxy S4 had the KNOX security platform installed, which could update the security policies automatically.

The security update would be pushed to the user, who must agree to receive it. Samsung said. ‘To ensure your device receives the latest security updates, go to Settings > Lock Screen and Security > Other Security Settings > Security policy updates, and make sure the Automatic Updates option is activated,” the vendor added. ‘At the same screen, the user may also click Check for updates to manually retrieve any new security policy updates.’

In order to exploit the vulnerability, the attacker needs to be on the same network as your phone. For this reason, it is recommended that you do not connect your Samsung phone to any networks that may not be secured, including free wireless hotspots.

It is recommended that you ensure that updates to your applications are automated and applied as soon as they can be. This applies to both smartphones and computers.

Talk to atomicBIT about keeping your devices & data safe today.  Call us on 02 8033 5733 or email info@atomicbit.com.au.