Over 600 million Samsung mobile device users have been affected by a significant security risk on leading Samsung models, including the recently released Galaxy S6 as reported by NowSecure mobile security researcher Ryan Welton. The risk comes from a pre-installed keyboard that allows an attacker to remotely execute code as a privileged (system) user.
Contents
Summary of the Keyboard hack
A remote attacker capable of controlling a user’s network traffic can manipulate the keyboard update mechanism on Samsung phones and execute code as a privileged (system) user on the target’s phone.
The Swift keyboard comes pre-installed on Samsung devices and cannot be disabled or uninstalled. Even when it is not used as the default keyboard, it can still be exploited.
Swift has an update mechanism to allow new languages to be added or existing languages to be upgraded. When a user downloads an additional language pack, we can see the network request that is made in plain text as below:
GET http://skslm.swiftkey.net/samsung/downloads/v1.3-USA/az_AZ.zip
← 200 application/zip 995.63kB 601ms
When the zip is downloaded it is extracted to /data/data/com.sec.android.inputmethod/app_SwiftKey/
[email protected]:/data/data/com.sec.android.inputmethod/app_SwiftKey/az_AZ # ls -l
-rw——- system system 606366 2015-06-11 15:16 az_AZ_bg_c.lm1
-rw——- system system 1524814 2015-06-11 15:16 az_AZ_bg_c.lm3
-rw——- system system 413 2015-06-11 15:16 charactermap.json
-rw——- system system 36 2015-06-11 15:16 extraData.json
-rw——- system system 55 2015-06-11 15:16 punctuation.json
You can see that the files in the .zip were written as system user. This is a very powerful user capable of writing many places on the file system. Since the application sends the zip file over plaintext, anyone can easily manipulate these and inject malicious code to get anything out of your phone.
Impact of the Keyboard hack
If the flaw in the keyboard is exploited, an attacker could remotely do the following:
- Access sensors and resources like GPS, camera and microphone
- Secretly install malicious app(s) without the user knowing
- Tamper with how other apps work or how the phone works
- Eavesdrop on incoming/outgoing messages or voice calls
- Attempt to access sensitive personal data like pictures and text messages
How to minimize the impact
- Avoid insecure wi-fi networks
- Use a different mobile device
- Contact carriers for patch information and timing
-> An alternate solution could be to install a custom ROM like CyanogenMod or something else on your phone.
-> If you are in love with Samsung’s UI and proprietary apps and features then you can simply ROOT your phone and un-install the KeyBoard app and you can install some other free KeyBoard App on your phone.
Still then stay tuned to InfySim for more of such updates.
https://www.nowsecure.com/keyboard-vulnerability/