• Tech
  • Security

Samsung Galaxy Keyboard Bug Exposes Users to Hackers

4 minute read
Samsung Galaxy S6 Phone Goes On Sale
Samsung's latest flagship smartphones, the Galaxy S6 and the S6 Edge, are viewed at a Samsung store on the day of their release in New York City on April 10, 2015Spencer Platt—Getty Images
By Robert Hackett / Fortune

Hundreds of millions of users of Samsung Galaxy smartphone models S4 through S6 are potentially vulnerable to a computer bug that researchers disclosed at the Black Hat Conference in London on Tuesday.

The flaw, discovered by a Ryan Welton, a researcher at the cybersecurity firm NowSecure, lets attackers wreak havoc on Samsung mobile device models. It can give a hacker covert control over a phone’s microphone and camera, access to text messages, and the ability to download malicious apps, among other things.

The issue arises from a defect in the software updater for Samsung’s default virtual keyboard, a customized version of the word-prediction technology developed by SwiftKey. When a device downloads a language pack update, any man-in-the-middle attacker—a bad actor positioned on the same network as the user—can swap out the real file with malware, thus compromising the device.

The default keyboard program checks for updates automatically, so even people who use other keyboard apps are vulnerable.

Two problems with the phones’ updater process contribute to the severity of the vulnerability. On the one hand, SwiftKey does not encrypt those keyboard update files, a weakness that hackers can exploit to install malicious files on a person’s device (as described above). On the other, Samsung grants those updates elevated permissions, allowing attackers to circumvent the phone’s security controls and meddle with all sorts of data and code running on a device.

“Because Samsung phones grant extraordinarily elevated privileges to the updates,” writes Ars Technica security editor Dan Goodin, “the malicious payload is able to bypass protections built into Google’s Android operating system that normally limit the access third-party apps have over the device.”

Andrew Hoog, the CEO of NowSecure, told the Wall Street Journal that his company alerted Samsung to the flaw in November. Two months later, Samsung requested another year to patch the problem. Three months after that, the company claimed to push a software fix out to wireless carriers, like Sprint and Verizon, and said the firm could take its findings public in another three months, reports WSJ’s Danny Yadron.

Realizing that the phones weren’t patched, but believing too much time had elapsed already, the NowSecure team decided to go ahead and present its discovery at the hacker conference, according to WSJ.

SwiftKey pointed out in a statement that its other apps are unaffected by the exploit, and that the current vulnerability—labeled CVE-2015-2865 in the industry’s taxonomical parlance—takes a bit of skill and a lot of good timing to pull off: “a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”

Samsung, too, released a statement addressing the bug: “We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security,” the company said. “Samsung KNOX,” the company’s mobile security solution, “has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy will begin rolling out in a few days.”

“In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”

For now, NowSecure recommends that users of Samsung Galaxy smartphones affected by the bug (a list of the vulnerable models can be found here) should:

  • Avoid insecure Wi-Fi networks
  • Use a different mobile device
  • Contact carriers for patch information and timing

    • This article originally appeared on Fortune.com

    PHOTOS: The Rise of Mobile Phones from 1916 to Today

    A German field telephone station in the Aisne department of northern France during World War I.
    1916 A German field telephone station in the Aisne department of northern France during World War I.Paul Thompson—FPG/Getty Images
    French singer and actor Johnny Hallyday in a scene from the film 'Point de Chute' (aka 'Falling Point').
    1970 French singer and actor Johnny Hallyday in a scene from the film 'Point de Chute' (aka 'Falling Point').Keystone/Holton/Getty Images
    An early mobile phone during the Iranian Embassy siege at Princes Gate in South Kensington, London.
    1980 An early mobile phone during the Iranian Embassy siege at Princes Gate in South Kensington, London.Kypros/Getty Images
    Bob Maxwell, general manager of Englewood-based Mobile Telephone of Colorado, places a call on FCC-approved radio frequency while driving to work.
    1983 Bob Maxwell, general manager of Englewood-based Mobile Telephone of Colorado, places a call on an FCC-approved radio frequency while driving to work.Lyn Alweis—Denver Post/Getty Images
    THE A-TEAM -- "The Say U.N.C.L.E. Affair" Episode 5. (l-r) Eddie Velez as Frankie Santana, Robert Vaughn as General Hunt Stockwell, George Peppard as John 'Hannibal' Smith.
    1986 THE A-TEAM "The Say U.N.C.L.E. Affair" Episode 5. (l-r) Eddie Velez as Frankie Santana, Robert Vaughn as General Hunt Stockwell, George Peppard as John 'Hannibal' Smith.Bill Dow—NBC/Getty Images
    Bill Clinton, Ray Flynn
    1992 Democratic presidential nominee Bill Clinton talks on a cell phone while meeting with Boston Mayor Ray Flynn in a New York hotel on Sept. 25.Mark Lennihan—AP
    Whoopi Goldberg during ShoWest in Las Vegas.
    1993 Whoopi Goldberg during ShoWest in Las Vegas.Jeff Kravitz—FilmMagic/Getty Images
    A farmer with his family sitting on a Bullock Cart and talking on a mobile Phone, in Delhi.
    1997 A farmer with his family sitting on a Bullock Cart and talking on a mobile Phone, in Delhi.India Today Group/Getty Images
    World Trade Center Terrorist Attack.
    2001 A woman watches smoke pour out of the World Trade Center Towers in New York on September 11.Nicholas Goldberg—Gamma-Rapho/Getty Images
    A rebel militiaman speaks on his mobile phone after capturing territory from government troops on March 25 2 in Ben Jawat, Libya.
    2011 A rebel militiaman speaks on his mobile phone after capturing territory from government troops on March 25 in Ben Jawat, Libya. John Moore—Getty Images
    A youth films the aftermath of tear gas police fired at protestors in Muhammed Mahmoud Street near Tahrir Square on November 23 in Cairo.
    2011 A youth films the aftermath of tear gas police fired at protestors in Muhammed Mahmoud Street near Tahrir Square on November 23 in Cairo.Peter Macdiarmid—Getty Images
    Audience members take pictures of President Barack Obama at Florida Atlantic University on April 10 in Boca Raton, Florida.
    2012 Audience members take pictures of President Barack Obama at Florida Atlantic University on April 10 in Boca Raton, Florida. Marc Serota—Getty Images
    A teenager takes a selfie in front of Queen Elizabeth II during a walk around St. Georges Market in Belfast.
    2014 A teenager takes a selfie in front of Queen Elizabeth II during a walk around St. Georges Market in Belfast. The Queen has apparently voiced her dismay that when she carries out engagements she is greeted by a sea of mobile phones.Peter Macdiarmid—PA Wire/Press Association Images/AP

    More Must-Reads From TIME

    Contact us at letters@time.com