If you’re reading this on a Samsung Galaxy—bad news—your phone may leave you wide open to identity theft. Thieves could be stealing your bank account password right now.
That sobering information was revealed Tuesday during the Black Hat London presentation “Abusing Android Apps and Gaining Remote Code Execution.”
NowSecure mobile security researcher Ryan Welton revealed that the keyboard that comes installed in the phones could allow an attacker remote access. The keyboard cannot be uninstalled or disabled, and you have no way of knowing if your carrier has patched the problem. According to Welton, an attack is “highly reliable, completely silent, and affects all devices.”
If the flaw in the keyboard is exploited, an attacker could remotely:
- Access sensors and resources like GPS, camera and microphone
- Secretly install malicious app(s) without the user knowing
- Tamper with how other apps work or how the phone works
- Eavesdrop on incoming/outgoing messages or voice calls
- Attempt to access sensitive personal data like pictures and text messages
Notice number three—tamper with other apps. Have you downloaded your bank’s app? Your investment or 401k company’s app?
NowSecure notified Samsung of the vulnerability in December 2014. Samsung provided a patch to wireless carriers in early 2015, but as of June 16, Galaxy phones on several carriers tested as unpatched.
A partial list of impacted phones includes the Galaxy S6, Galaxy S5, Galaxy S4 and Galaxy S4 Mini.
On Verizon, AT&T, Sprint and T-Mobile all of the impacted phones tested as either unpatched or unknown the week of June 15.
Welton’s recommendation: To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing.