Millions of Samsung Devices may be at risk due to Keyboard Vulnerability

Last updated:

As many as 600 million Samsung mobile devices could be at risk from attackers due to a vulnerability in default keyboard software, a security researcher has discovered.

Ryan Welton from NowSecure detailed the vulnerability present on the SwiftKey keyboard pre-installed on millions of Samsung smartphones.

The keyboard’s searches for language pack updates are not sent over encrypted lines rather they’re sent in plain text. Welton was able to exploit this vulnerability by creating a spoof proxy server and sending malicious security updates to affected devices coupled with validating data to ensure that the malicious code remained on the device. Welton could then escalate the attack and continue to exploit the device without the user ever being aware.

The vulnerability potentially allows attackers to siphon sensitive data off the affected devices, data which may include text messages, contacts, passwords and bank logins not to mention that the vulnerability could also be used to remotely monitor users.

Samsung was informed of the issue back in November last year and it provided a fix for devices running Android 4.2 or higher earlier this year in March. However NowSecure is of the view that this exploit still exists.

Welton demonstrated it today at the Blackhat Security Summit in London on a Verizon Galaxy S6 and claimed to have replicated it.

“We can confirm that we have found the flaw still unpatched on the Galaxy S6 for the Verizon and Sprint networks, in off the shelf tests we did over the past couple of days,” a NowSecure spokesperson confirmed.

This is a serious issue for users because even if they don’t use SwiftKey as the default keyboard it can’t be uninstalled from the device (by any normal user) and Welton says that it can still be exploited even when it’s not the default keyboard.

Welton recommends that until Samsung releases a fix that users be extra careful of using their handsets on networks that they’re not familiar with in order to limit the chances of a man-in-the-middle attack.

Attackers have to be on the same wireless network as the device that they’re targeting, remote targeting is only possible by hijacking the DNS or comprising the router from another location.

Samsung has so far not commented on the issue.

[signoff predefined=”Enjoy this?” icon=”users”][/signoff]


My Cart Close (×)

Your cart is empty
Browse Shop

Rapid Mobile

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.


By continuing to use our site or clicking I Accept, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.


You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.


Privacy Settings saved!
Cookie Services

We need your consent so that we and our trusted partners can store and access cookies, unique identifiers, personal data and information about your browsing behaviour on your device. This enables us to serve relevant content and advertising to you, and to improve the service that we provide to our readers. This only applies to we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site.

We track anonymized user information to improve our website.
  • _ga
  • _gid
  • _gat

Save my preferences