CHICAGO -- Millions of Samsung Galaxy phones are likely impacted by a security flaw that could allow attackers to install malware or eavesdrop on calls -- and there's not much users can do about it.
Security firm NowSecure said a bug in the pre-installed Swift keyboard software installed on more than 600 million Samsung devices could allow a hacker "execute code as a privileged user" to gain access to the device and the user's network.
If the flaw in the keyboard is exploited, the attacker could access the phone's GPS, camera, microphone, install malicious apps, eavesdrop on calls, and access photos and messages. The keyboard cannot be disabled or uninstalled. Even when it's not being used, the security flaw can still be exploited.
The list of devices includes the Galaxy S6, Galaxy S5, Galaxy S4, and Galaxy S4 Mini. Verizon, AT&T, Sprint, and T-Mobile customers are all impacted.
The flaw was discovered by Ryan Welton, a researcher at NowSecure. The firm notified Samsung and the Google Android security team in December.
While the vulnerability impacts millions of phones, it's still considered to be "low risk" by many experts because the user must be connected to a compromised Wi-Fi network and is conducting a language update at that specific time.
Samsung has not publicly commented on the security flaw.
According to TechCrunch, Swiftkey supplies Samsung with the core technology that powers the word predictions in the keyboard. However, it's the way the keyboard was integrated on Samsung devices that introduced the security vulnerability. Swiftkey apps in the app store have nothing to do with the security vulnerability.
According to TechCrunch, several sources have said that Samsung "screwed up" when it came to implementing Swiftkey's keyboard and responding after they were notified of the security vulnerability three months ago.
SwiftKey released a statement in a blog post: