The version of Swiftkey that Samsung ships with its Galaxy phones has a major vulnerability — and it can’t be simply eradicated by removing the app itself.
Picture: Getty Images/David Ramos
Nowsecure highlighted the vulnerability, which affects the preinstalled and unfortunately non-removable version of Swiftkey found on most Samsung Galaxy devices. When Swiftkey decides to update itself on the Galaxy OEM version, it does so without user intervention and writes the update as a system user. That’s a very privileged position in terms of system hierarchy, which opens up the door for a potential attack if the update happened on an insecure Wi-Fi network set up to exploit this particular vulnerability.
Annoyingly, not only can you not uninstall Swiftkey to remove the problem, but installing an updated version of the Google Play Swiftkey app won’t remove the issue either. Samsung was apparently alerted with regards to the issue in 2014, and some carriers may have included patches to mitigate the issue — but it’s not clear whether everyone has to date.
Remote Code Execution as System User on Samsung Phones [Nowsecure]
Comments
2 responses to “Samsung Galaxy Phones Have A Serious Security Flaw”
This is why carriers need to be taken out of the android update loop. This should have just been a single update sent from Samsung, or Google, to all users. Instead people now have no idea if they’re updated or not, or if the update is even available for them!
I assume you can remove this if you have rooted your device?
The steps one would have to take to exploit this bug make it about a billion to one chance of being taken advantage of. What is the true purpose of this post?
Mere, how do you know what the chances are? By publishing the issue it makes owners aware and in doing so puts pressure on those in a position to fix the matter. If we make publish crime rates and incidents it does the same thing. If we didn’t talk about them because we thought it would inspire others do you think those responsible for prevention would feel the need to act?