A bug in Samsung’s keyboard for Android is putting 600m devices at risk of hacking, including the potential for a complete hijack of the system, according to a researcher at NowSecure.
The problem was said to occur because Swift keyboard, created by British start-up SwiftKey, has access to extensive privileges on the phone, meaning that a hacker could exploit the software’s update process to attack a phone.
Writing online, Ryan Welton, a security research at NowSecure, said: "It’s unfortunate but typical for OEMs [original equipment manufacturers] and carriers to preinstall third-party applications to a device.
"In some cases these applications are run from a privileged context. This is the case with the Swift keyboard on Samsung."
According to the researcher the way Samsung installs Swift onto its phones means that it runs as a system user, "a notch short of being root", which has complete control over a computer or smartphone.
In order to carry out the attack a hacker would have to modify traffic being sent to the phone by poisoning a Wi-Fi hotspot or some other network, alongside a host of other methods.
The attacker could then allegedly manipulate the update process through which a user can alter or install language packs in order to hack the smartphone.
"Unfortunately, the flawed keyboard app can’t be uninstalled or disabled," Welton said. "Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update.
"To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing."
In a statement release to the press, SwiftKey insisted that the problem only occurred if the keyboard software is "conducting a language update at that specific time, while connected to the compromised network".