Samsung smartphones can be hijacked, infected with malware, and remotely controlled by malicious Wi-Fi hotspots in cafes, hotels, and so on, security researchers claim.
According to the bods at NowSecure, millions of handsets have a remote-code execution vulnerability that is a software design flaw. One workaround is to avoid untrusted wireless; use VPN to a trusted network; or simply use another phone.
Essentially, NowSecure claims, the touchscreen keyboard app bundled with Samsung Galaxy S6, S5, S4 and S4 Mini handsets automatically updates itself by downloading a ZIP file of new files from the internet using an unencrypted HTTP connection.
It makes no attempt to verify the authenticity of the archive, it's claimed, so someone in control of your network could intercept the download, and send the phone a malicious archive instead.
The update process runs with system-level access. It unpacks the ZIP file without checking the paths of the files inside, and with full read-write permissions on the device's file system. This means a malicious archive could overwrite arbitrary files on the handset, replacing the installed software with malware, or just cause havoc, we're told.
The ZIP archive is downloaded from...
...and if, for example, it contains a file with the full filename...
...then, when unpacked by the update process, it will create a system-owned file in the directory
$ su -c "ls -l /data/payload" -rw------- system system 5 2014-08-22 16:07 payload
Which is bad.
The system keyboard app cannot be uninstalled, and if deactivated and replaced by another on-screen keyboard app, it will continue to run its update process in the background with full system privileges every so often.
"It’s unfortunate but typical for OEMs and carriers to preinstall third-party applications to a device," NowSecure researcher Ryan Welton wrote in a blog post. "In some cases these applications are run from a privileged context. This is the case with the keyboard on Samsung."
"This vulnerability is specific to Samsung devices, and we have observed it as far back as Android 4.2 and possibly even farther back," a spokesman for NowSecure added to The Register.
SwiftKey provided the software at the heart of Samsung's system keyboard, and said its standalone keyboard apps are not vulnerable.
"We’ve seen reports of a security issue related to the Samsung stock keyboard that uses the SwiftKey SDK," a spokesperson told El Reg on Tuesday.
"We can confirm that the SwiftKey Keyboard app available via Google Play or the Apple App Store is not affected by this vulnerability."
NowSecure has published a proof-of-concept exploit that it says will execute code remotely on affected handsets. There is no patch for the vulnerability.
"Unfortunately, the flawed keyboard app can’t be uninstalled or disabled," said Welton. "Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update."
Samsung was not available for comment. ®