Samsung today in an official statement has said that it's prepping an update that should close a potential-but-obscure avenue for exploit in its custom keyboard on a number of its most popular phones.
The update will come by way of the security policy update mechanism in Samsung Knox and not with a full system update, samsung said in its statement. (And that begs the question why that wasn't done in the first place, if indeed we'd been waiting on U.S. operators to push out a fix.)
Here's what's up. In a statement given to Android Central, Samsung says:
Samsung takes emerging security threats very seriously. We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security. Samsung Knox has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy updates will begin rolling out in a few days. In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward."
The crux of the issue came from the way the language packs in Samsung's keyboard are updated. (The language packs are part of the SwiftKey SDK, but the retail version of the SwiftKey keyboard wasn't involved in any of this in any way.) If your phone was connected to an unsecure access point and an attacker was able to catch you at the moment your phone was updating the language pack, they'd be able to replace the update payload with something nefarious. That would require a lot of things to line up at once, of course. But while the exploit is obscure, it's still real and needs to be fixed.
The phones in question were the Samsung Galaxy S6, Galaxy S5, Galaxy S4 and Galaxy S4 Mini on Sprint, Verizon, AT&T and T-Mobile.