How Samsung Is Working to Fix Galaxy Security Vulnerability

Issue with keyboard software could let hackers spy on Galaxy smartphone users.

ByABC News
June 18, 2015, 1:40 PM
An attendant demonstrates using a SoftBank Corp, Galaxy S6 Edge smartphone, manufactured by Samsung Electronics Co., during a product launch in Tokyo in this May 19, 2015 file photo.
An attendant demonstrates using a SoftBank Corp, Galaxy S6 Edge smartphone, manufactured by Samsung Electronics Co., during a product launch in Tokyo in this May 19, 2015 file photo.
Kiyoshi Ota/Bloomberg/Getty Images

— -- A security flaw that could allow hackers to spy on the every move of some Samsung Galaxy users will be patched in the next few days, according to Samsung.

As many as 600 million Samsung Galaxy smartphones may have a keyboard software flaw allowing hackers to eavesdrop on phone calls and voicemail, read texts, turn on the microphone and view private photos, according to a report from U.S. based security firm NowSecure.

In a blog post today, Samsung wrote security updates would be implemented in the coming days via the KNOX security platform which has been installed in every model since the Galaxy S4.

"Samsung KNOX has the capability to update the security policies of our devices, over-the-air, to invalidate potential vulnerabilities caused by this issue," the blog post said.

Users should make sure their device automatically receives security policy updates by going to settings, security, other security settings and choosing security policy updates to make sure the automatic updates option is turned on.

Hackers are able to access the private information of some Galaxy S4, S5, and S6 users through a vulnerability in the devices' pre-installed SwiftKey keyboard predictive text technology, according to the report.

The likelihood of such an attack being pulled off is incredibly small, according to Samsung, which said it would require "a very specific set of conditions for a hacker to be able to exploit a device this way."

The security hole occurs when the device's keyboard updates -- giving hackers who are in the right place at the right time the opportunity to infiltrate a vulnerable device, according to NowSecure's research.

Ryan Welton, a security researcher with NowSecure, wrote in a blog post that the company first notified Samsung in December 2014 of the flaw, along with the United States Computer Emergency Readiness Team (CERT) and Google's Android security team.

The vulnerability is not related to SwiftKey's consumer apps in both the Google Play and Apple App Store.

"We supply Samsung with the core technology that powers the word predictions in their keyboard," a statement posted Wednesday on SwiftKey's website said. "It appears that the way this technology was integrated on Samsung devices introduced the security vulnerability. We are doing everything we can to support our long-time partner Samsung in their efforts to resolve this important security issue."