Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Incident Response, TDR, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Samsung devices, including Galaxy S6, vulnerable to remote code execution


More than 600 million Samsung mobile device owners are vulnerable to cyberattacks that could allow a perpetrator to remotely execute code as a privileged system user.

The vulnerability exists in Samsung's pre-installed Swift keyboard. The keyboard, which cannot be uninstalled or disabled, issues update check requests every couple hours or so, explained NowSecure CEO Andrew Hoog during a Wednesday interview with NowSecure discovered the bug, CVE-2015-2865, in 2014, and notes that to execute a successful attack, a person must be capable of modifying upstream traffic.

If a user is logged into an insecure WiFi network, for example, a successful man-in-the-middle (MitM) attack could allow a cybercriminal to monitor the network traffic for these requests. Once one is spotted, the attacker can respond with a malicious payload. From there, the attacker could tamper with the compromised device. Sample exploitations could include accessing sensors and resources, such as the device's camera; installing malicious apps without the user's knowledge; listening in on calls; or accessing personal data, such as pictures and text messages.

Some users have downloaded the SwiftKey Google Play app, which is separate from the pre-installed keyboard app. Even with this version enabled, the vulnerability risk isn't mitigated; the default keyboard will continue to run in the background.

Samsung was notified of the vulnerability in December 2014, which prompted the company to provide a patch to mobile network operators. However, these providers were then left to push the update out to subscribers. NowSecure lists multiple providers on its dedicated vulnerability webpage, noting that some left their subscribers' devices unpatched. For others, NowSecure wasn't sure whether devices were still vulnerable.

“It is difficult to determine how many mobile device users remain vulnerable, given the devices, models and number of network operators globally,” the company wrote.

Not all security professionals are worried about the findings, however.

Nathan Collier, senior malware intelligence analyst at Malwarebytes Labs, in prepared commentary to, said that it's “doubtful we'll see it [an exploitation] in the real world.”

He argues the attack is too targeted per device. That said, Hoog told this publication that he doesn't agree, considering the vulnerability received an 8.3 score on the Common Vulnerability Scoring System (CVSS) framework and because the sophistication required is minimal at best.

In either case, Hoog recommends concerned users minimize their time on open WiFi networks while waiting on a patch. He also suggested reaching out to carriers for patch information and consider using a different device in the meantime. 

Samsung didn't reply to a request for comment.


Samsung responded to's request for comment. A company spokesperson said: “Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security."

The company's security service, Samsung Knox, is able to patch the vulnerability over-the-air, the spokesperson said, and will begin rolling out updates in the coming days. The company is also coordinating with Swiftkey to address potential risks going forward.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.