There is the popular saying that you are only as strong as your weakest link. While Samsung might have beefed up phone security with fingerprint sensors and software, it seems that not all their bases have been covered. According to NowSecure mobile security researcher Ryan Welton, he has discovered a security flaw that has potentially left Samsung’s devices open to attack.According to Welton, the issue here is with the default Swift keyboard that Samsung has included in their Galaxy-series of smartphones, including that of their latest Galaxy S6 and Galaxy S6 Edge handsets. The severity of the flaw stems from the fact that it is signed using Samsung’s private signing key, thus allowing it to run in one of the most privileged contexts.
While the flaw was not revealed, for obvious purposes, if a hacker were to find it and exploit it, they would be able to remotely access sensors and resources like your phone’s GPS, camera, microphone, as well as install malicious apps without the user’s knowledge. They will also be able to eavesdrop on incoming/outgoing messages and voice calls.
Welton states that he had notified Samsung of the flaw back in December of 2014 when he first discovered it. However he notes, “While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network. In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.”