LONDON: Vulnerability in Samsung’s Android keyboard installed on over 600 million devices worldwide could allow hackers to take full control of the smartphone or tablet. The security bug revolves around the update mechanism of the built-in keyboard, which looks for language updates for trending phrases either daily or weekly.

“The keyboard was signed with Samsung’s private signing key and runs in one of the most privileged contexts on the device, system user, which is a notch short of being root,” said Researcher Ryan Welton from security company NowSecure who discovered the hole.

The problem was discovered last year. NowSecure told Samsung about the bug in December. Samsung asked NowSecure to keep the discovery under wraps until it could patch the problem. Google’s Android security team was also notified.

Users stuck even if they install another keyboard

“Unfortunately, the flawed keyboard app can’t be uninstalled or disabled,” said Welton. “It isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update.”

If the Samsung Android device is connected to a malicious Wi-Fi network when the keyboard attempts to update its trending

phrases and language pack, a hacker could substitute the update for a backdoor into the phone giving a hacker almost complete

access to the phone.

According to NowSecure a hacker could remotely access an smartphone’s sensors, such as GPS, the camera or microphone, eavesdrop on calls or attack sensitive personal data.

“Unfortunately, we were only made aware of the issue on June 16,” said Joe Braid, chief marketing officer of SwiftKey. “We are working as hard as possible to support Samsung and help it fix the issue.”

A Samsung spokesperson told the Guardian, “Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security.”

“It is important to note that the phone’s core functions (kernel) were not affected by the reported issue due to the protection of the Samsung Knox platform in all Samsung Galaxy S models.”

“Samsung Knox also has the capability to update the security policy of the phones, over-the-air, to invalidate any remaining potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days.”