Researchers from the NCC Group detected two flaws in the Galaxy App Store application between November 23 and December 3, 2022.
Two flaws in Samsung’s official app store, the Galaxy App Store, might let attackers install any app without the user’s knowledge or lead users to a malicious website.
Technical Details of the Security Flaws
- Improper access control could allow local attackers to install applications from the Galaxy App Store (CVE-2023-21433)
Researchers say the Galaxy App Store was discovered to have an exported activity that does not securely process incoming intents. This enables other apps running on the same Samsung device to automatically install any application from the Galaxy App Store.
The proof-of-concept (PoC) provided by NCC’s analysts is an “ADB” (Android Debug Bridge) command that tells an app component to install the “Pokemon Go” game by submitting an intent to the app store with the specified target application.
In this case, the intent may also specify whether or not the newly installed application should be opened, giving threat actors more options for how to carry out the assault.
“A pre-installed rouge application on a Samsung device running Android 12 or below can abuse this issue to install any application currently available on the Galaxy App Store”, NCC reports.
Samsung has upgraded the Galaxy App Store for devices running Android versions 12 or lower (version 126.96.36.199). Android 13 smartphones are unaffected by this problem.
It was discovered that a webview inside the Galaxy App Store included a filter that restricted the URLs it could browse. The filter, however, was improperly set up, allowing the webview to navigate to a site that the attacker-controlled.
“Either tapping a malicious hyperlink in Google Chrome or a pre-installed rogue application on a Samsung device can bypass Samsung’s URL filter and launch a webview to an attacker-controlled domain”, NCC explains.
In this case, the “player.glb.samsung-gamelauncher.com” portion of the malicious domain is the only requirement for this attack. Any domain can be registered and added as a subdomain by an attacker.
An updated version of the Galaxy App Store has been made available by Samsung (version 188.8.131.52).
It is recommended that users should access the Galaxy App Store, and if requested, download and install the most recent version.
Network Security Checklist – Download Free E-Book