Report: Security Flaw (Still) Prevalent In Samsung Galaxy S Devices

More than 600 million Samsung devices are at risk of a new security flaw that allows hackers to eavesdrop on users' phone conversations and rummage through messages and contacts, cybersecurity firm NowSecure stated in a report on Tuesday.

Samsung smartphone models, including the recently released Galaxy S6, are vulnerable to a security flaw stemming from a preinstalled keyboard that allows hackers to remotely execute code as a system user, according to NowSecure.

According to the cybersecurity company, Samsung was notified in December of the uncovered flaw. As of Tuesday, four different Galaxy S models are still unpatched for the flaw.

[Related: Here's Who Made Gartner's 2015 Magic Quadrant For Enterprise Mobility Management]

Samsung did not respond to a request from CRN for comment by deadline.

The flaw, which exists because Samsung did not encrypt the update process of the keyboard, allows remote attackers to manipulate the keyboard update mechanism on Galaxy model devices.

The Swift keyboard, SwiftKey, comes preinstalled on Samsung devices and cannot be disabled or uninstalled. According to NowSecure, it's "unfortunate but typical for OEMs and carriers to preinstall third-party applications to a device."

"We've seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK. We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability," SwiftKey said in a statement. "We take reports of this manner very seriously and are currently investigating further."

Once hackers exploit a flaw in the device's keyboard, they could gain access to end users' pictures, text messages, voice calls and sensors. They also could secretly install malicious apps without users' knowledge.

Patrick Moorhead, president and principal Analyst of Moor Insights & Strategy, a tech analyst firm based in Austin, Texas, said vendors need to be more vigilant in looking for every potential crack in security.

"This sounds initially like a Samsung update issue, not an Android Play Store issue," he said. "The app, SwiftKey, wasn’t infected, but the unencrypted update method enabled malware to be injected and installed onto the phone. In general, smartphones [in the past] were less prone to these kinds of things because of the minimal ways to install software."

Moorhead said Google recently started to tackle the issue of malware through wide scans in its store, while Apple has been upping its security game with a much more rigid app approval method and by not enabling "side-load" app installations.

Steven Kantorowicz, president of CelPro Associates, a Samsung partner based in New York, stressed that his clients with Samsung devices generally opt for a third-party mobile device management solution to ensure security for enterprise networks.

"This doesn't surprise me… Android devices are not secure devices unless you have a mobile device management solution, such as those from Good Technology or MobileIron," he said. "If you don't have that, especially as an enterprise customer, you leave yourself wide open. Any enterprise client who is not concerned about security is in jeopardy of getting hacked."

NowSecure stated that Samsung device users can protect sensitive data through avoiding insecure Wi-Fi networks, using a different mobile phone, and contacting carriers for patch information and timing.

PUBLISHED JUNE 16, 2015