According to the researcher Ryan Welton, the SwiftKey IME keyboard update mechanism can be manipulated by a remote attacker capable of controlling user network traffic, and can then execute code as a privileged system user on the target phone.
The keyboard cannot be disabled or uninstalled, and even if not used as the default keyboard the vulnerability can still be exploited. In his blog entry detailing the vulnerability, Welton explains "the attack vector for this vulnerability requires an attacker capable of modifying upstream traffic. The vulnerability is triggered automatically (no human interaction needed) on reboot as well as randomly when the application decides to update. This can include geographically proximate attacks such as rogue Wi-Fi access points or cellular base stations, or attacks from local users on a network, including ARP poisoning. Fully remote attacks are also feasible via DNS hijacking, packet injection, a rogue router or ISP, etc."
As far as we can tell, the threat itself only actually applies to users of Samsung mobile devices which run a stock keyboard version of the SwiftKey keyboard, rather than the app which is available for download from the Apple or Google Play stores (this appears to be confirmed by the developers). Which begs the question, if the standalone download is secure what went wrong with the Samsung IME keyboard development process?
Jon Christiansen, lead consultant at Context Information Security, suggested to SCMagazineUK.com that "it cannot be said for certain since there are no developer comments so far, but it is likely that they, in the process of adapting SwiftKey into a pre-installed app, had to change how the update mechanism works (as it is no longer through Google Play like most apps) and in creating/expanding their own code, simply re-implemented it in an insecure manner, in this case as an unencrypted HTTP request to a specific server."
For how much of a real world possibility of attack this is, as it does require you to perform a man-in-the-middle (MiTM) attack to get at someone's phone, wide-scale targeting of the “600 million vulnerable Samsung users” that other articles mention seems infeasible.
A possible attack scenario would be where an attacker set up a rogue Wi-Fi hotspot at a popular destination where people connect to a single spot (like a business conference), and wait for the update to trigger before injecting the fake zip and attacking that way. While such an attack could yield a lot of valuable information, general wide-scale attacks seems unlikely with the information available so far.
Given disabling the stock keyboard is not an option, and waiting for a fix could take time, what is the most sensible advice to those 600 million users? SC has seen everything suggested from "root it and remove it" to "buy another phone" and one national newspaper was even running a story online with the advice: "If you own a Samsung phone, turn it off. Now!"
When you step back from the headline hysteria, how much of a real world threat is this vulnerability? Andrew Conway, a research analyst at Cloudmark, was clear when speaking to SC that although this latest bug to hit Samsung has the potential "to create doubts over the company's security for its devices", it is still "not one that is likely to be much of a threat to typical users."