According to NowSecure, the risk comes from a pre-installed keyboard that allows an attacker to remotely execute code as a privileged (system) user.

Uncovered by NowSecure mobile security researcher Ryan Welton, Samsung was notified in December of 2014. Given the magnitude of the issue, NowSecure notified CERT who assigned CVE-2015-2865, and also informed the Google Android security team.

If the flaw in the keyboard is exploited, an attacker could remotely access sensors and resources like GPS, camera and microphone. They can also secretly install malicious apps without the user knowing.

The attackers can also eavesdrop on incoming/outgoing messages or voice calls and attempt to access sensitive personal data like pictures and text messages.