About the vulnerability
Over 600 million Samsung mobile device users have been affected by a significant security risk on leading Samsung models, including the recently released Galaxy S6. The risk comes from a pre-installed keyboard that allows an attacker to remotely execute code as a privileged (system) user.
This flaw was uncovered by NowSecure mobile security researcher Ryan Welton. Samsung was notified in November of 2014. Given the magnitude of the issue, NowSecure notified CERT who assigned CVE-2015-4640 and CVE-2015-4641, and also informed the Google Android security team.
If the flaw in the keyboard is exploited, an attacker could remotely:
- Access sensors and resources like GPS, camera and microphone
- Secretly install malicious app(s) without the user knowing
- Tamper with how other apps work or how the phone works
- Eavesdrop on incoming/outgoing messages or voice calls
- Attempt to access sensitive personal data like pictures and text messages
While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network. In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.
Review technical details about this vulnerability in researcher Ryan Welton’s technical blog post.
How to detect it
See if your Samsung mobile device is on this list. There are several Samsung mobile devices impacted. As of June 16 2015, this is the known (but not all-inclusive) list of impacted devices by carrier with patch status:
| Device | Carrier* | Patch Status |
| Galaxy S6 | Verizon | Unpatched |
| Galaxy S6 | AT&T | Unknown |
| Galaxy S6 | Sprint | Unpatched |
| Galaxy S6 | T-Mobile | Unknown |
| Galaxy S5 | Verizon | Unknown |
| Galaxy S5 | AT&T | Unknown |
| Galaxy S5 | Sprint | Unknown |
| Galaxy S5 | T-Mobile | Unpatched |
| Galaxy S4 | Verizon | Unknown |
| Galaxy S4 | AT&T | Unknown |
| Galaxy S4 | Sprint | Unknown |
| Galaxy S4 | T-Mobile | Unknown |
| Galaxy S4 Mini | Verizon | Unknown |
| Galaxy S4 Mini | AT&T | Unpatched |
| Galaxy S4 Mini | Sprint | Unknown |
| Galaxy S4 Mini | T-Mobile | Unknown |
*International carriers: Our research sampled select international Samsung devices and found the vulnerability. Because Samsung utilizes what SwiftKey refers to as the “Samsung stock keyboard using the SwiftKey SDK,” we believe the issue to be global in nature. We suggest contacting local carriers for more specific detail on device vulnerability and patches. Carriers need to work with Samsung to obtain a patch.
Reduce your risk
Unfortunately, the flawed keyboard app can’t be uninstalled. Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update. However, there are a few initial remedies the mobile device user can take for protection:
- Avoid unsecured wi-fi networks
- Use a different mobile device
- Contact carriers for patch information and timing
