Samsung's stock keyboard permits remote code execution

Jun 17, 2015 09:38 GMT  ·  By

Mobile security researchers at NowSecure have identified a remote code execution vulnerability in the Samsung Keyboard, one of the preinstalled Android apps that comes with most of Samsung's devices.

If the name doesn't ring a bell, Samsung Keyboard is the on-screen keyboard everyone uses to write any type of text on Samsung's Android devices.

The vulnerability allows for remote code execution on Samsung devices

According to the security disclosure, this flaw in the Samsung stock keyboard built on the SwiftKey SDK allows attackers to access sensors on the device, its camera, GPS, microphone, pictures, and even the text messages library.

The vulnerability also lets them install malicious apps without requiring the user's permission, alter existing apps, and even listen for incoming or outgoing messages and voice calls in real time.

Classified as CVE-2015-2865, the vulnerability was discovered last year when Samsung and the Android Security teams were also notified.

Patches have been available since early 2015

Patches to address this issue were released by Samsung to mobile operators in early 2015, but it's still unknown how many vulnerable devices were upgraded.

Since the Samsung stock keyboard comes installed by default on all Samsung devices and cannot be uninstalled in any way or form, it is highly recommended that any person utilizing a Samsung device should get in contact with his carrier and inquire if the security patch was supplied.

In a statement on their official support forum, the SwiftKey team on which SDK the Samsung Keyboard app was built, had the following to say: “We've seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”

Update: The article was updated to remove any mentions that the vulnerability was affecting all SwiftKey keyboard apps.