Samsung Galaxy S6 Phone Goes On Sale
Samsung's latest flagship smartphones, the Galaxy S6 and the S6 Edge, are viewed at a Samsung store on the day of their release in New York City on April 10, 2015 Spencer Platt—Getty Images

Samsung Galaxy Keyboard Bug Exposes Users to Hackers

Hundreds of millions of users of Samsung Galaxy smartphone models S4 through S6 are potentially vulnerable to a computer bug that researchers disclosed at the Black Hat Conference in London on Tuesday.

The flaw, discovered by a Ryan Welton, a researcher at the cybersecurity firm NowSecure, lets attackers wreak havoc on Samsung mobile device models. It can give a hacker covert control over a phone’s microphone and camera, access to text messages, and the ability to download malicious apps, among other things.

The issue arises from a defect in the software updater for Samsung’s default virtual keyboard, a customized version of the word-prediction technology developed by SwiftKey. When a device downloads a language pack update, any man-in-the-middle attacker—a bad actor positioned on the same network as the user—can swap out the real file with malware, thus compromising the device.

The default keyboard program checks for updates automatically, so even people who use other keyboard apps are vulnerable.

Two problems with the phones’ updater process contribute to the severity of the vulnerability. On the one hand, SwiftKey does not encrypt those keyboard update files, a weakness that hackers can exploit to install malicious files on a person’s device (as described above). On the other, Samsung grants those updates elevated permissions, allowing attackers to circumvent the phone’s security controls and meddle with all sorts of data and code running on a device.

“Because Samsung phones grant extraordinarily elevated privileges to the updates,” writes Ars Technica security editor Dan Goodin, “the malicious payload is able to bypass protections built into Google’s Android operating system that normally limit the access third-party apps have over the device.”

Andrew Hoog, the CEO of NowSecure, told the Wall Street Journal that his company alerted Samsung to the flaw in November. Two months later, Samsung requested another year to patch the problem. Three months after that, the company claimed to push a software fix out to wireless carriers, like Sprint and Verizon, and said the firm could take its findings public in another three months, reports WSJ’s Danny Yadron.

Realizing that the phones weren’t patched, but believing too much time had elapsed already, the NowSecure team decided to go ahead and present its discovery at the hacker conference, according to WSJ.

SwiftKey pointed out in a statement that its other apps are unaffected by the exploit, and that the current vulnerability—labeled CVE-2015-2865 in the industry’s taxonomical parlance—takes a bit of skill and a lot of good timing to pull off: “a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”

Samsung, too, released a statement addressing the bug: “We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security,” the company said. “Samsung KNOX,” the company’s mobile security solution, “has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy will begin rolling out in a few days.”

“In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”

For now, NowSecure recommends that users of Samsung Galaxy smartphones affected by the bug (a list of the vulnerable models can be found here) should:

  • Avoid insecure Wi-Fi networks
  • Use a different mobile device
  • Contact carriers for patch information and timing

This article originally appeared on

PHOTOS: The Rise of Mobile Phones from 1916 to Today

A German field telephone station in the Aisne department of northern France during World War I.
1916 A German field telephone station in the Aisne department of northern France during World War I.Paul Thompson—FPG/Getty Images
A German field telephone station in the Aisne department of northern France during World War I.
French singer and actor Johnny Hallyday in a scene from the film 'Point de Chute' (aka 'Falling Point').
An early mobile phone during the Iranian Embassy siege at Princes Gate in South Kensington, London.
Bob Maxwell, general manager of Englewood-based Mobile Telephone of Colorado, places a call on FCC-approved radio frequency while driving to work.
THE A-TEAM -- "The Say U.N.C.L.E. Affair" Episode 5. (l-r) Eddie Velez as Frankie Santana, Robert Vaughn as General Hunt Stockwell, George Peppard as John 'Hannibal' Smith.
Bill Clinton,  Ray Flynn
Whoopi Goldberg during ShoWest in Las Vegas.
A farmer with his family sitting on a Bullock Cart and talking on a mobile Phone, in Delhi.
World Trade Center Terrorist Attack.
A rebel militiaman speaks on his mobile phone after capturing territory from government troops on March 25 2 in Ben Jawat, Libya.
A youth films the aftermath of tear gas police fired at protestors in Muhammed Mahmoud Street near Tahrir Square on November 23 in Cairo.
Audience members take pictures of President Barack Obama at Florida Atlantic University on April 10 in Boca Raton, Florida.
A teenager takes a selfie in front of Queen Elizabeth II during a walk around St. Georges Market in Belfast.
1916 A German field telephone station in the Aisne department of northern France during World War I.
Paul Thompson—FPG/Getty Images
1 of 13
TIME may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.