By exploiting a vulnerability in the phones' keyboard software, hackers can pretend to be the server that the phones connect to for updates, enter into the phone and control the camera or microphone, read texts, and install apps.
"We supply Samsung with the core technology that powers the word predictions in their keyboard," read a SwiftKey statement. "It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this obscure but important security issue."
Researchers at mobile technology security firm NowSecure say they discovered the exploit — which could affect up to 600 million phones — and told Samsung about it in November, only going public with their findings now after seeing no progress for months towards fixing the problem.
"We have published a webpage to help you find out if you are vulnerable, learn more about how the vulnerability might effect you, and discover ways to reduce your risk. Finally, proof of concept code is available here," NowSecure wrote in an online statement.
Since the keyboard software can't be deleted, owners of vulnerable phones are advised to stay off unsecured Wifi networks as Samsung and SwiftKey try to find a solution, though even that precaution won't guarantee protection from this 'man-in-the-middle' hack. NowSecure advises that users contact their carriers for information on software patches.
— SwiftKey (@SwiftKey) June 17, 2015
The exploit was discovered in the Samsung version of SwiftKey and is known to work on the Samsung Galaxy S6, the S6 and Galaxy S4 Mini, though it’s suspected that other Samsung devices that use SwiftKey are also at risk.
It doesn't matter if a user is actively using the keyboard or not — the phone will still contact a server for updates to software. Normally, there is encryption to make sure the connection to the server is secure, but the Samsung version of SwiftKey seems to lack such protections.
SwiftKey has said that the Android and iOS versions of their software are safe.