Security experts at NowSecure have a flaw in the virtual keyboard SwiftKey pre-installed in Samsung mobile devices which potentially impacts up to 600 million devices. They noted that research for language packs are not encrypted and can be diverted to a malicious server and introduce code without the user's knowledge into the smartphone.
With this flaw, a hacker could access the microphone, the GPS or the camera but also install applications, intercept voice or SMS communications or even access personal data such as photos.
Alerted in December 2014, Samsung proposed a patch in early 2015 but given the scale of the deployment of SwiftKey in smartphones, it is not certain that the flaw will not remain usable on a large number of smartphones. Galaxy S3 to S5, Galaxy S6 and S6 Edge, Galaxy Note 3 and 4 would be potentially affected.
Worrying points: SwiftKey cannot be uninstalled and the flaw remains active even if it is not the default keyboard. Reassuring point: the attacker must in principle be on the same WiFi or cellular network as his victim, even if remote attacks remain possible.