Samsung Galaxy Keyboard Bug Exposes Users to Hackers | Homestead Security | Forums

heads up for samsung users

Hundreds of millions of users of Samsung Galaxy smartphone models S4 through S6 are potentially vulnerable to a computer bug that researchers disclosed at the Black Hat Conference in London on Tuesday.

The flaw, discovered by a Ryan Welton, a researcher at the cybersecurity firm NowSecure, lets attackers wreak havoc on Samsung mobile device models. It can give a hacker covert control over a phone’s microphone and camera, access to text messages, and the ability to download malicious apps, among other things.

The issue arises from a defect in the software updater for Samsung’s default virtual keyboard, a customized version of the word-prediction technology developed by SwiftKey. When a device downloads a language pack update, any man-in-the-middle attacker—a bad actor positioned on the same network as the user—can swap out the real file with malware, thus compromising the device.

The default keyboard program checks for updates automatically, so even people who use other keyboard apps are vulnerable.

Two problems with the phones’ updater process contribute to the severity of the vulnerability. On the one hand, SwiftKey does not encrypt those keyboard update files, a weakness that hackers can exploit to install malicious files on a person’s device (as described above). On the other, Samsung grants those updates elevated permissions, allowing attackers to circumvent the phone’s security controls and meddle with all sorts of data and code running on a device.

“Because Samsung phones grant extraordinarily elevated privileges to the updates,” writes Ars Technica security editor Dan Goodin, “the malicious payload is able to bypass protections built into Google’s Android operating system that normally limit the access third-party apps have over the device.”

http://time.com/3925.....-keyboard/