Samsung Galaxy S phones, including the S4 Mini, S4, S5, and S6, fail to properly validate Swiftkey language pack updates.
CWE-345: Insufficient Verification of Data Authenticity - CVE-2015-4640
Samsung Galaxy S phones, including the S4 Mini, S4, S5, and S6, are pre-installed with a version of SwiftKey keyboard that is signed by Samsung to operate with system privileges. By design, SwiftKey periodically checks for language pack updates over HTTP (CVE-2015-4640). By intercepting such requests and modifying the necessary fields, an attacker can write arbitrary data to vulnerable devices.
A remote, unauthenticated attacker conducting a man-in-the-middle attack may be able to write arbitrary data to vulnerable devices checking for updates. Based on the frequency of SwiftKey update checks, which "appears to be every 8 hours" according to NowSecure researchers, such an attack may have a low likelihood of occurring.
Apply an update
Avoid untrusted networks
Thanks to Ryan Welton and Ted Eull of NowSecure for reporting this vulnerability.
This document was written by Joel Land.