Researchers from NowSecure were able to seize control of GPS tracking data, microphones and cameras from Samsung devices, chief executive Andrew Hoog told The Washington Post. They also intercepted incoming and outgoing calls and messages and installed apps.
"These types of things are well within the capability of other organizations, and I think it's very naive to think other people haven’t found this or haven’t used this," Hoog said.
Watch researcher Ryan Welton demonstrate the hack here:
Samsung said in a statement that it "takes emerging security threats very seriously" and was aware of the issue. "We are also working with SwiftKey to address potential risks going forward," the statement said.
Devices dating back to Galaxy and Galaxy Note S3 models have preinstalled SwiftKey word prediction technology. That software cannot be uninstalled or disabled even if users activate a different keyboard.
The SwiftKey Keyboard app, available on Google Play and the App Store, is unaffected by these risks, according to the report and a SwiftKey spokesman.
But hackers using insecure Internet networks can easily dupe the word prediction software as it searches for automatic updates and gain control of the entire device, according to the report.
"I'd pretend to be SwiftKey, and your phone would have no way of knowing the difference because your phone does no verification" before downloading the update, said Tod Beardsley, research manager at IT security firm Rapid 7.
And that's a big liability. Think about how often you get on WiFi networks you're not 100 percent certain about. Is that WiFi at the coffee shop safe, or is the cagey guy in the corner broadcasting a false signal in a ploy to sap your data? Who knows?
"The response I've seen in the Android community is don’t get on untrusted networks," Beardsley said. "Well that’s near impossible. That’s why people have these phones."
"And once I have your phone, I get everything," he added. "There’s a lot of upside for an attacker."
Hoog calls the the security flaw and the access it potentially grants hackers "the perfect storm."
"The risk is high, but the threat is low," Beardsley said. "You have to already have an enemy and someone after you in particular, but if you already have those, don’t get on WiFi at all."
NowSecure said its researchers discovered the flaw in November and reported it to Samsung, which confirmed it on Dec. 31. Given the breadth of devices affected, NowSecure alerted the Department of Homeland Security's U.S. Computer Emergency Readiness Team in February, and Samsung patched the flaw in March.
Samsung said it has been rolling out the fixes, which are delivered through wireless cellphone providers, since March. But it's unclear how many Samsung phones have received the patch to fix the problem so far.
Hoog said the company is not moving quickly enough. "I suspect there are many, many phones that will never get updated," he said. "And that’s why we have to raise this visibility."
For now, users should avoid insecure WiFi networks (but good luck with that) and contact their cellular provider for a patch to fix the software, NowSecure recommends. And if all else fails, get a new phone, the security firm said.