About the vulnerability

Over 600 million Samsung mobile device users have been affected by a significant security risk on leading Samsung models, including the recently released Galaxy S6. The risk comes from a pre-installed keyboard that allows an attacker to remotely execute code as a privileged (system) user.

This flaw was uncovered by NowSecure mobile security researcher Ryan Welton. Samsung was notified in November of 2014. Given the magnitude of the issue, NowSecure notified CERT who assigned CVE-2015-4640 and CVE-2015-4641, and also informed the Google Android security team.

If the flaw in the keyboard is exploited, an attacker could remotely:

Access sensors and resources like GPS, camera and microphone Secretly install malicious app(s) without the user knowing Tamper with how other apps work or how the phone works Eavesdrop on incoming/outgoing messages or voice calls Attempt to access sensitive personal data like pictures and text messages

While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network. In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.

Review technical details about this vulnerability in researcher Ryan Welton’s technical blog post.

How to detect it

See if your Samsung mobile device is on this list. There are several Samsung mobile devices impacted. As of June 16 2015, this is the known (but not all-inclusive) list of impacted devices by carrier with patch status:

Device Carrier* Patch Status Galaxy S6 Verizon Unpatched Galaxy S6 AT&T Unknown Galaxy S6 Sprint Unpatched Galaxy S6 T-Mobile Unknown Galaxy S5 Verizon Unknown Galaxy S5 AT&T Unknown Galaxy S5 Sprint Unknown Galaxy S5 T-Mobile Unpatched Galaxy S4 Verizon Unknown Galaxy S4 AT&T Unknown Galaxy S4 Sprint Unknown Galaxy S4 T-Mobile Unknown Galaxy S4 Mini Verizon Unknown Galaxy S4 Mini AT&T Unpatched Galaxy S4 Mini Sprint Unknown Galaxy S4 Mini T-Mobile Unknown

*International carriers: Our research sampled select international Samsung devices and found the vulnerability. Because Samsung utilizes what SwiftKey refers to as the “Samsung stock keyboard using the SwiftKey SDK,” we believe the issue to be global in nature. We suggest contacting local carriers for more specific detail on device vulnerability and patches. Carriers need to work with Samsung to obtain a patch.

Reduce your risk

Unfortunately, the flawed keyboard app can’t be uninstalled. Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update. However, there are a few initial remedies the mobile device user can take for protection:

Avoid unsecured wi-fi networks

Use a different mobile device

Contact carriers for patch information and timing

Learn more