Galaxy Store Flaw

Researchers from the NCC Group detected two flaws in the Galaxy App Store application between November 23 and December 3, 2022.

Two flaws in Samsung’s official app store, the Galaxy App Store, might let attackers install any app without the user’s knowledge or lead users to a malicious website.

Technical Details of the Security Flaws

  • Improper access control could allow local attackers to install applications from the Galaxy App Store (CVE-2023-21433)

Researchers say the Galaxy App Store was discovered to have an exported activity that does not securely process incoming intents. This enables other apps running on the same Samsung device to automatically install any application from the Galaxy App Store.

The proof-of-concept (PoC) provided by NCC’s analysts is an “ADB” (Android Debug Bridge) command that tells an app component to install the “Pokemon Go” game by submitting an intent to the app store with the specified target application.

EHA
ADB command used in NCC's PoC
ADB command used in the PoC

In this case, the intent may also specify whether or not the newly installed application should be opened, giving threat actors more options for how to carry out the assault.

“A pre-installed rouge application on a Samsung device running Android 12 or below can abuse this issue to install any application currently available on the Galaxy App Store”, NCC reports

Samsung has upgraded the Galaxy App Store for devices running Android versions 12 or lower (version 4.5.49.8). Android 13 smartphones are unaffected by this problem.

  • Improper input validation could allow local attackers to execute JavaScript by launching a web page (CVE-2023-21434)

It was discovered that a webview inside the Galaxy App Store included a filter that restricted the URLs it could browse. The filter, however, was improperly set up, allowing the webview to navigate to a site that the attacker-controlled.

“Either tapping a malicious hyperlink in Google Chrome or a pre-installed rogue application on a Samsung device can bypass Samsung’s URL filter and launch a webview to an attacker-controlled domain”, NCC explains.

The proof-of-concept (POC) demonstrated in the study consists of a hyperlink that, when clicked from Chrome, opens a website with malicious JavaScript and executes it on the target device.

Hyperlink to force webview to browse on unsafe sites
Hyperlink to force the GS’s webview to browse unsafe sites

In this case, the “player.glb.samsung-gamelauncher.com” portion of the malicious domain is the only requirement for this attack. Any domain can be registered and added as a subdomain by an attacker.

An updated version of the Galaxy App Store has been made available by Samsung (version 4.5.49.8). 

It is recommended that users should access the Galaxy App Store, and if requested, download and install the most recent version.

Network Security Checklist – Download Free E-Book

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.