Keyboard hack puts 600 million Samsung Galaxy devices at risk

Update: SwiftKey has posted an update on its blog to reaffirm that the security issue does not affect its keyboard app downloadable from Google Play and the Apple App Store.

In addition, Samsung is said to be "working on an expedited firmware update" which will be available "upon completion of all testing and approvals." No ETA was provided.

To learn how you can protect your Samsung Galaxy phone in the meantime, head to the bottom of this page so you don't miss the update when it arrives. For more information on SwiftKey's response you can visit the SwiftKey blog. Our original story continues below.

• Android 5.0 Lollipop security

The security flaw, discovered by mobile security company NowSecure, is said to have put more than “600 million” Samsung devices at risk, including the Galaxy S4, Galaxy S5 and Galaxy S6.

Hackers can introduce harmful code into devices through the default IME keyboard (Samsung’s repackaged version of SwiftKey) by pretending to be the keyboard’s home server. Periodically, the keyboard sends a request to update, and it’s at this point that hackers can infiltrate one's handset.

In response to NowSecure's claims, a SwiftKey spokesperson said, “we’ve seen reports of a security issue related to the Samsung keyboard. We can confirm that the SwiftKey Keyboard apps available via Google Play or the Apple App Store are not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further.”

However, devices which have already been hacked now require a carrier upgrade for the vulnerability to be removed. SwiftKey can not simply be updated from the Play Store to regain security.

Samsung keyboard hack: what should you do?

To make sure you get the fix that's being issued through Samsung's KNOX software, do the following:

• Go to your settings menu.
• Tap "Security".
• Scroll to "Other security settings."
• Tap "Security policy updates."
• Make sure "Automatic updates" is ticked.

We reached out to Samsung for comment and here is the official response: 

“Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security.

Samsung KNOX has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days.

In addition to the security policy update, we are also working with SwiftKey to address potential  risks going forward.”