Hundreds of millions of Android mobile devices may be at risk because of a flaw in the default keyboard used by Samsung, and because of the level of access Samsung affords the keyboard software.

Mobile security vendor NowSecure found that the version of the SwiftKey keyboard built-in to many popular Samsung Galaxy devices, from the Galaxy S3 to the S6 on multiple carriers, downloads language packs via HTTP and does not use a secure transfer protocol. This leaves devices vulnerable to a man-in-the-middle attack wherein a malicious actor capable of controlling a user’s network traffic can intercept a request to download a language pack upgrade or new language pack and deliver back an infected file.

“The keyboard automatically checks for updates periodically,” said NowSecure CEO Andrew Hoog. “If this were something only the user could trigger, it would be far less impactful, but it does go off and check on its own. You cannot disable that, even if you aren’t using the keyboard, there’s no way to stop it at this time.”

“This is definitely a serious finding,” commented Tyler Shields, senior analyst at Forrester. “This vulnerability affects a very wide distribution of phones and can lead to compromise of sensitive data. I would expect that we’ll continue to see more of these types of vulnerabilities disclosed as the conference season continues through the summer.”

When asked about the issue, SwiftKey confirmed that the version of its app found in the Google Play Store and available for general download is not affected by this vulnerability. However, SwiftKey did not respond when asked if that meant the Play Store version of SwiftKey uses secure transfer protocols and why the Samsung version would behave differently.

The fault is not only with how SwiftKey downloads language packs but also with the level of access Samsung gives to the built-in version of the keyboard. NowSecure said Samsung signs the keyboard app with its private key and runs it in “one of the most privileged contexts on the device, system user, which is a notch short of being root.”

Normally, Android’s sandboxing protocols would limit the options for leveraging a man-in-the-middle attack, but the level of access Samsung gives to this app makes the potential damage far worse.

“The ability to use this attack to steal sensitive data is 100%,” said Hoog. “There has been talk over the years about how mobile is a target. This is clearly a way that enterprise data could be targeted and taken off the device.”

According to Hoog, NowSecure reported this vulnerability to Samsung in November 2014 and Samsung confirmed it in December. In March 2015, Samsung told NowSecure it had released an update to carriers and requested three additional months before disclosure.

Hoog said the only way to get a fix for this issue is for users to push Samsung and carriers to provide a patch for affected devices, something that has been notoriously slow in coming with Android. The process may hit additional roadblocks, Hoog said, because those seeking better mobile security are often too quick to focus on mobile malware.

“It’s really the users and the enterprises that carry the risk here,” Hoog said. “With the industry focused so much on malware, we’ve seen the industry waste millions and millions of dollars on the wrong problem. We’ve been seeing issues of apps leaking insecure data since 2010, but we haven’t seen a material change in that.”