Reportedly, two vulnerabilities have come into the highlight in the Galaxy App Store. Samsung’s official repository for devices could allow attackers in order to install any app in the Galaxy Store without the user’s consent. It also redirects victims to a malicious web location.
This issue have been discovered by researchers from the NCC Group between November 23 and December 3, 2022, respectively. While the Korean Smartphone maker revealed on January 1, 2023, that it is able to fix the two issues. Also, released a new version of Galaxy App Store (4.5.49.8).
Also, recently the NCC group published technical details for the two security issues. They disclosed it along with the proof of concept (PoC) exploit code for each of them. Notably, it is mandated for the attackers to have local access. Also, an easy feat for pro hackers and malware distributors who choose to attack mobile services.
Forcing app installs on Android
Out of the two, the first flaws are tracked as CVE-2023-21433. Whereas this is improper access control, the same allows attackers in order to install any applications that are present on the Galaxy App Store.
Alternatively, NCC found that the Galaxy App Store is not able to cope with incoming intents in a safe way. The same enables apps on the device to transfer arbitrary app installation requests.
The PoC shared by NCC’s analysts is an ‘ADB’ (Android Debug Bridge) command. It guides an app component to install the “Pokemon Go” game by sending the intent with the specified target chosen application to the app store. The intent may also mention if the new application should be opened or not. It happens frequently after installation, so it gives the threat actors more choices over the way to conduct the attack.
On the other hand, the second vulnerability is CVE-2023-21434. It is an improper input validation, that enables attackers to execute JavaScript on the target device. Furthermore, NCC also reveals that the only term and clause required for this attack is for the malicious domain to have the “player.glb.samsung-gamelauncher.com” section in it. Therefore, an attacker can register any domain while adding that part as a subdomain.
Impact on Samsung phones
The installation and automatic launch of apps from the Galaxy Store without the user’s consent may also lead to data or privacy breaches. Also when an attacker uploads a malicious app on the Galaxy Store beforehand.
It is worth to be noted that CVE-2023-21433 is not exploitable on Samsung devices running Android 13. Not even when they use an older and vulnerable version of the Galaxy Store.
Alternatively, Samsung phones those no longer supported by the vendor. And the ones that remain stuck to an older Galaxy Store version are unfortunately vulnerable to two discovered vulnerabilities by NCC Group researchers.