CHICAGO — Millions of Samsung Galaxy phones are likely impacted by a security flaw that could allow attackers to install malware or eavesdrop on calls — and there’s not much users can do about it.
Security firm NowSecure said a bug in the pre-installed Swift keyboard software installed on more than 600 million Samsung devices could allow a hacker “execute code as a privileged user” to gain access to the device and the user’s network.
If the flaw in the keyboard is exploited, the attacker could access the phone’s GPS, camera, microphone, install malicious apps, eavesdrop on calls, and access photos and messages. The keyboard cannot be disabled or uninstalled. Even when it’s not being used, the security flaw can still be exploited.
The list of devices includes the Galaxy S6, Galaxy S5, Galaxy S4, and Galaxy S4 Mini. Verizon, AT&T, Sprint, and T-Mobile customers are all impacted.
The flaw was discovered by Ryan Welton, a researcher at NowSecure. The firm notified Samsung and the Google Android security team in December.
“While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network. In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.”
Samsung has not publicly commented on the security flaw.