Researchers discovered numerous security vulnerabilities in Samsung’s Galaxy App Store application that threatened Samsung users. Exploiting the vulnerabilities could let an adversary infect target devices with malware and perform other malicious actions. Samsung patched the flaws before active exploitation.
Samsung App Store App Vulnerabilities
According to a recent advisory from the NCC Group, their research team discovered two different security issues in Samsung’s Galaxy App Store app.
The Galaxy App Store is Samsung’s own application store for its users, providing them with a reliable alternative for downloading various applications. The application comes pre-installed in almost supported Samsung devices, such as mobile handsets and Samsung Gear. That means any issues affecting this app potentially impact many users globally.
Regarding the vulnerabilities, the advisory explains the first issue as improper access control (CVE-2023-21433). As stated,
It was found that the Galaxy App Store has an exported activity which does not handle incoming intents in a safe manner.
An attacker could exploit this flaw by running a malicious app on the target device to install other apps from the Galaxy App Store without the users’ consent.
This vulnerability affected Samsung devices running Android 12 or lower and existed in the Galaxy App Store versions 18.104.22.168 and others. The devices running Android 13 remain immune to this issue.
This vulnerability affected the Galaxy App Store version 22.214.171.124 and others.
The researchers have shared the technical details with the respective PoCs for both flaws in the advisory.
Samsung Patched The Flaws
The researchers discovered these vulnerabilities in late 2022, after which they responsibly disclosed the bugs to Samsung. In response, the tech giant developed fixes and released the patches with the Galaxy App Store app version 126.96.36.199.
Hence, users must update their devices with the recent app version to avoid potential exploits.
Let us know your thoughts in the comments.