Samsung announces fix after security loophole leaves 600 million devices 'vulnerable to hackers'

Samsung announced a fix to its keyboard software after a security flaw in Samsung Galaxy smartphones and tablets have left up to 600 million devices at risk from hackers gaining access to personal pictures, messages and applications, according to a mobile security researcher.

The flaws were revealed this week by security company NowSecure's researcher Ryan Welton, after he found he could hack into user's Samsung phones pre-loaded with SwiftKey keyboards, whilst the phone was updating or downloading new language packages.

In a blog post, Samsung described the likelihood of a successful attack as "low", and said there had been no reported cases of devices being compromised. However, they acknowledged that there was a risk and said there would be an update to security policy "in the coming days".

The vulnerabilities to private information stored on devices and in the cloud came to the fore last year when hackers were able to access Apple's iCloud software, leading to intimate images of celebrities leaking online.

This new loophole, known as a 'man-in-the-middle' attack, works by first allowing a hacker, connected to the same unencrypted wifi connection as the Samsung user, to infiltrate the software already built in to the Samsung phone.

At the point where the keyboard software asks the Samsung device whether it needs updating or not, the hacker can override the phone's request acting as a privileged system user and automatically update the keyboard software.

This allows the hacker to tap into the smartphone as it automatically updates, allowing him or her to inject 'malicious code' into the phone, thereby controlling the phone remotely. This ultimately gives hackers unlimited access to the phone user's images, the phone's camera, inbox messages and could even let them listen in to conversations.

Samsung handsets identified as vulnerable include the Samsung Galaxy S4 and S4 Mini, the Galaxy S5 and the Galaxy S6.

Quick to respond to news of the discovery by NowSecure, SwiftKey, Samsung's keyboard provider, advised its customers that other versions of its keyboard for other Android handsets and iPhones are not affected by the flaw when updated or downloaded.

SwiftKey said, "We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability. We take reports of this manner very seriously and are currently investigating further."

Reacting to vulnerability, a Samsung spokesperson told the Guardian: "Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security."

It also said that the Samsung KNOX platform (the device which protects private and confidential information on Android devices) can "invalidate any remaining potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days."