A new vulnerability, potentially affecting up to 600 million Android phones, was recently discovered by researchers at the security firm NowSecure. The vulnerability originates from a pre-installed keyboard on Samsung devices called SwiftKey that uses an insecure communication channel, which ultimately allows attackers to remotely execute code on the device as a privileged user.
At the time of this blog post, no full mitigation or protection options against the SwiftKey vulnerability have been provided to Samsung mobile device users. However, Skycure’s Mobile Threat Defense solution already detects and prevents exploits of this vulnerability using its Active Honeypot technology.
Hundreds of millions of Android phones, including Samsung Galaxy S6, S5, and several other Galaxy models, are shipped with a default keyboard called SwiftKey. SwiftKey pings its servers for a software update every now and then, which gets to the root of the problem: SwiftKey’s probing and downloading of software updates to Android devices are done over an unencrypted channel, which makes the mechanism susceptible to man-in-the-middle attacks. Intruders are then capable of pushing a malicious update file rather than the benign file. Making matters worse, SwiftKey runs with highly privileged permissions (system user) on affected Samsung devices, allowing an attacker’s fake update files to gain the same privileged permissions. As a result, a successful exploit would enable an attacker to steal or delete sensitive data, spy on victims by monitoring their GPS, photos or text messages, and stay on the device persistently to continue to attack it at the hacker’s discretion.
Skycure’s Recommended Remediation
As a mitigation, the NowSecure researchers have suggested: “To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing”. However, at Skycure, we think that such drastic measures may be impractical for most users. Considering the sheer volume of potentially affected Android devices–600 million–there could be a huge detrimental impact on productivity as millions of users are simultaneously forced to scramble and resolve both their personal and corporate mobility.
I am happy to share that there is a way to remain connected to networks via SwiftKey vulnerable mobile devices and still be safe. Our patent pending Skycure Active Honeypot technology, which is a central piece of the Skycure Mobile Threat Defense enterprise solution, detects and prevents exploits of vulnerabilities such as the SwiftKey vulnerability.
Active Honeypot stays ahead of attacks by luring hackers to attack Skycure-protected mobile devices. In this way, Skycure can securely analyze the response, calculate the deviation from the “expected” behavior and inform the end-user in case of an active cyber attack. Skycure’s Enterprise Edition additionally triggers automated protection using native functionality or leveraging enterprise system integrations with an organization’s MDM/EMM, Exchange and VPN solutions. Any new threat detected by Skycure is fed back to the Skycure Crowd Wisdom Engine to proactively protect all Skycure enabled devices. The combination of Active Honeypot, automated notifications and crowd wisdom keep Skycure enterprise and BYOD users much safer and headache-free. Users can download a free version of the Skycure app from both Apple and Google Play app stores to detect a plethora of mobile cyber attacks including physical, network, malware and vulnerability exploits.
To learn more about the latest threats on mobile devices, attend RSA Conference featured webcast with Skycure’s Adi Sharabani and Yair Amit. Register for The Four Horsemen of Mobile Security webcast that takes place on June 24th at 10am PT.