Security researcher Ryan Welton said that the vulnerability is in the update mechanism for a Samsung-customised version of SwiftKey.

This baby is available on the Samsung Galaxy S6, S5, and several other Galaxy models.

The problem was that when downloading updates, the Samsung devices don't encrypt the executable file, making it possible for attackers in a position to modify upstream traffic—such as those on the same Wi-Fi network—to replace the legitimate file with a malicious payload.

Welton showed everyone how at the Blackhat security conference in London.

Phones that come pre-installed with the Samsung IME keyboard, as the Samsung markets its customized version of SwiftKey, periodically query an authorized server to see if updates are available for the keyboard app or any language packs that accompany it.

All that the attacker has to do is set up a man-in-the-middle position can impersonate the server and send a response that includes a malicious payload that's injected into a language pack update.

Samsung gives elevated privileges to the updates so the malicious payload is able to bypass protections built into Google's Android operating system that normally limit the access third-party apps have over the device.

Welton said the exploit is still possible even when the Samsung IME keyboard is not used.

The researcher said Samsung has provided a patch to mobile network operators, but he has been unable to learn if any of the major carriers have applied them. Carriers are usually pretty slack about this.