Samsung Galaxy Store had critical auto apps installation flaws

Researchers from the NCC Group discovered two CVEs in Samsung’s official app store. As detailed by the researchers, these two flaws in Samsung Galaxy Store could enable attackers to install any app without the user’s knowledge or to direct victims to a malicious web location.

Fixed with Samsung Galaxy Store app version 4.5.49.8, the flaws were discovered by NCC Group researchers between November 23 and December 3, 2022. In a recent development, researchers at NCC Group disclosed (via Mishaal Rahman) technical details for the two security issues with proof-of-concept.

Follow Sammy Fans on Google News

Technical details and backend code aside, let’s discuss the impact of these security flaws on Samsung devices.

These CVEs could not have affected devices running the latest Android 13-based One UI 5. As noted in the report, a pre-installed rouge application on a Samsung device running Android 12 or below can abuse this issue to install any application currently available on Galaxy App Store.

Join Sammy Fans on Telegram

In order to fix these CVEs, the South Korean tech giant has pushed an updated version of the Galaxy Store (version 4.5.49.8). In case you have a Galaxy device running below Android 12, you should install the latest version of Galaxy Store to ensure your data privacy.

NCC Group found that “a webview within the Galaxy App Store contained a filter that limited which domains that webview could browse to.” Regardless the developers have not correctly configured it, which would allow the webview to browse to an attacker-controlled domain.

Galaxy Store CVEs:

• Technical Advisory: Improper access control could allow local attackers to install applications from the Galaxy App Store (CVE-2023-21433)
• Technical Advisory: Improper input validation could allow local attackers to execute JavaScript by launching a web page (CVE-2023-21434)

Proof-of-concept