The software flaw has the potential to allow unauthorized access to your phone calls, voicemail messages, text messages, and private photos as well as allow a hacker to turn on your phone’s microphone remotely. The security flaw can be exploited when the keyboard software for the device updates. This means that the hacker has to be in the right place at the right time to take advantage of the security flaw, but it is possible for them to access your device if they are determined. SwiftKey’s consumer apps in the Google Play and Apple App Store are not affected by the vulnerability.
NowSecure first notified Samsung of the flaw in December 2014. The company also notified the United States Computer Emergency Readiness Team (CERT) and Google’s Android security team of its discovery. SwiftKey recently issued a statement on its website saying, “It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue.”
Even those that choose to use a different third party keyboard app are vulnerable to the security flaw because the SwiftKey technology cannot be uninstalled from the device. Patches for the security flaw were initially issued to mobile providers at the beginning of 2015, but it remains unclear whether the patches were provided by the carriers to the affected mobile users and how many smartphones are still vulnerable to the flaw. NowSecure recommends that Galaxy users should ask their mobile provider for information about the security patch for the flaw and avoid accessing unsecured Wi-Fi networks with their phones.