As many as 600m Samsung mobile devices may be vulnerable to a serious bug that could allow hackers to spy on mobile users.
The risk includes the recently released Galaxy S6 smartphone.
The risk comes from a pre-installed keyboard that allows an attacker to remotely execute code as a privileged (system) user.
Hackers can exploit the flaw to access sensors and resources like GPS, camera and microphone.
They can also install malicious apps without the user knowing and can tamper with how other apps work on the phone.
The hackers can also eavesdrop on incoming/outgoing messages or voice calls and access personal data like pictures and text messages.
Difficult to determine how many users remain vulnerable
The flaw was uncovered by NowSecure mobile security researcher Ryan Welton and Samsung was notified in December of 2014.
NowSecure also notified CERT, which assigned CVE-2015-2865, and also informed the Google Android security team.
“While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network,” NowSecure said.
“In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.”