Samsung has rushed a fix for a critical vulnerability found in a native app shipped with millions of its latest smartphones.
Earlier this week, NowSecure revealed that more than 600 million Samsung smartphones are at risk from the flaw in messaging app SwiftKey.
The app, which is designed to help users to type without mistakes using autocorrect, comes pre-loaded on Samsung devices, and cannot be uninstalled from Samsung’s smartphone.
The vulnerability, discovered by Ryan Welton, mobile security specialist at NowSecure, could allow an attacker to remotely execute code as a privileged (system) user, and affects models including the Samsung Galaxy S6, S5, S4 and S4 mini.
It should be noted that only the pre-installed SwiftKey app is vulnerable, not the ones from Google Play Store or Apple iOS Store. But installing the app from the Play store will NOT remove the vulnerability of the pre-installed version apparently. And the security risk will exists on Galaxy smartphones, even if the app isn’t being used as the default keyboard.
Samsung therefore has taken the decision this week to upgrade its Knox security software in a few days in order to eliminate the risks, Bloomberg reported.
Samsung said in an email on Thursday that all Galaxy models since the S4 (released in 2013) are embedded with Knox. The upgrade will be available for download to users of all those models, it said. But it didn’t comment on plans for older models.
SwiftKey is taking the issue seriously and working with Samsung to ensure a patch is available as soon as possible, Jennifer Kutz, a spokeswoman for the company, told Bloomberg by email.
“The vulnerability in question is not easy to exploit,’ she said.
Indeed, SwiftKey told TechweekEurope earlier this week that the vulnerability is down to the way that Samsung integrated the app onto its smartphones.
“We supply Samsung with the core technology that powers the word predictions in their keyboard,” the company told TechweekEurope. “It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue.”
“The vulnerability in question is not easy to exploit: a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device,” said SwiftKey. “This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”
“For clarity, this issue does not affect SwiftKey’s consumer keyboard applications on Google Play or the Apple App Store, and we are absolutely committed to maintaining world-class standards in security and privacy practices for our users,” said the company.
How much do you know about hacking? Take our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…