MANILA, Philippines – A serious security risk affecting the default keyboards of some 600 million Samsung mobile phones was uncovered and announced to the public by mobile security group NowSecure on Tuesday, June 16 (June 17 Manila time).

According to NowSecure’s announcement, the risk comes from a pre-installed keyboard – the SwiftKey keyboard – that lets attackers remotely execute code as a privileged (system) user.

Those exploiting the flaw can potentially do the following to other people’s devices:

• Access sensors and resources like GPS, camera and microphone
• Secretly install malicious app(s) without the user knowing
• Tamper with how other apps work or how the phone works
• Eavesdrop on incoming/outgoing messages or voice calls
• Attempt to access sensitive personal data like pictures and text messages

The security risk was discovered by NowSecure mobile security researcher Ryan Welton, with Samsung being notified in December of 2014.

Samsung began providing a patch to mobile network operators in early 2015, but it is unknown if the carriers have provided the patch to the devices on their network.

Figuring out the global scale of vulnerability to the security flaw is also difficult, given the devices’ models and the number of network operators around the world.

In the US, the flaw affects the Samsung Galaxy S6, S5, S4, and S4 Mini on the AT&T, Sprint, T-Mobile, and Verizon carriers.

Unfortunately, the keyboard application cannot be uninstalled, and users may have trouble telling if their carriers have patched the problem with a software update.

In the meantime, NowSecure recommends the following initial remedies to protect themselves:

• Avoid insecure wi-fi networks
• Use a different mobile device
• Contact carriers for patch information and timing

Additional technical information is available in this blog post by Ryan Welton. – Rappler.com