News  Android
Samsung Hacked Keyboard

Keyboard vulnerablility discovered back in December 2014

When you install a software keyboard in Android, you are warned it might be possible for hackers to steal your data. This is because the software running the keyboard is, well, software, and as we all know software in the hands of the bad guys can do whatever they bid it to. The nightmare scenario of a keyboard becoming infected without the users knowledge appears to be possible on certain Samsung customized versions of SwiftKey, which in total applies to 600 million devices. That's because these devices automatically query Samsung servers without the users knowledge - the keyboard app has been granted this privilege when installed at the factory.

The attack vector is the update mechanism which doesn't encrypt the updated keyboard app as it is sent to the device. This means hackers can intercept it, since it is in the clear, and replace it with their own. A man-in-the-middle exploit has been demonstrated at a recent Blackhat hacking conference in London.

Patch available

The researcher who discovered this vulnerability, NowSecure's Ryan Welton, says Samsung has supplied a patch to several carriers but it seem most haven't applied it yet.

There is little users can do to prevent this, apart from avoiding untrusted or unsecured WiFi networks. This is because affected handsets are periodically querying the Samsung servers to see if an update is available, and the user is unaware of this and in any case unable to prevent it. Therefore, if the handset is on a network which a hacker has compromised, it can be spoofed into providing their version of the malware rather than the official one, and it will be silently installed in the background.


The keyboard app is a customised version of the regular one from Swiftkey, who have been quick to point out that the versions available in the Google Play store are unaffected by this bug. However, that's bolting the stable door after the horse has run away - the problem was the Swift keyboard which was pre-installed on the affected handsets in the first place.

The way Samsung tried to solve the problem of silent updates without user intervention was flawed unless it was 100% trusted. This also adds fuel to the fire of the "bloatware" critics, who point out pure Android services would never suffer such a breach. 

Samsung has admitted there is a problem but points out the difficulty of implementing it in practice. It also claims there have been no reported incidents relating to the exploit in the wild.

Samsung have issued the following statement relating to the issue:

Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security. Samsung KNOX has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.

Samsung's full response is here.