Samsung Security Vulnerability Affects 600 million Phones


Samsung is facing a severe security vulnerability, with the discovery of a bug in its keyboard software. US computer security company NowSecure discovered the bug and reported it to Samsung last year. According to NowSecure, the bug could allow hackers to monitor the phone’s texts, camera and microphone. It could also install apps without the user’s permission.

The keyboard software, which is in use in almost all parts of the phone, checks for updates automatically, allowing hackers the opportunity to intercept and introduce malicious files. However, reports suggest that it is relatively difficult to hack this vulnerability as it would require controlling how the phone connects to the internet (for example, using a malicious WiFi access point).

Using an alternative keyboard will not solve the problem as Samsung’s keyboard always runs in the background. This is a code issue and Samsung is working on a fix with SwiftKey, the developer of its keyboard. SwiftKey apps being used on other phones and operating systems are not at risk of this vulnerability.

The news comes as a big setback for Samsung, who was recently crowned the world’s largest smartphone vendor, beating Apple in Q1 2015.

The vulnerability is a serious prospect for Samsung device users (so far, Galaxy S4, S5 and S6 models are all affected) and it is estimated that up to 600 million Samsung phones could be at risk of cyber attack. Australian telecommunications companies such as Telstra, Optus and Vodafone are all investigating how many local users are at risk.

At this stage, there is not much that can be done. Users can only wait for their phones to be automatically updated by Samsung. Carriers will be responsible for distributing the patch, once provided by Samsung.

In the meantime, users that are concerned are advised to avoid public WiFi networks, use another phone and follow up with their carriers to determine when a patch will be released.

Experts are suggesting that the Android platform is partly to blame for security vulnerabilities and the inability to effectively dispatch updates down the line.