Two new vulnerabilities have been found in the Galaxy App Store application allowing local attackers to install arbitrary applications or execute JavaScript by launching a specific web page.
The findings come from cybersecurity experts at NCC Group, who published an advisory about them last Friday.
“It was found that the Galaxy App Store has an exported activity which does not handle incoming intents in a safe manner,” wrote NCC Group researcher Ken Gannon, describing the first flaw (tracked CVE-2023-21433), which was ranked high-risk by Samsung.
“This allows other applications installed on the same Samsung device to automatically install any application available on the Galaxy App Store without the user’s knowledge.”
As for the second vulnerability (tracked CVE-2023-21434 and marked as moderate risk by Samsung), Gannon discovered that a webview within the Galaxy App Store contained a filter that limited the domains that the webview could access.
“However, the filter was not properly configured, which would allow the webview to browse to an attacker-controlled domain,” the security expert explained in the advisory.
In other words, tapping a malicious hyperlink in Google Chrome or a pre-installed rogue application on a Samsung device could bypass Samsung’s URL filter and launch a webview to a domain specified by a threat actor.
Both issues reportedly affected only Samsung devices running Android 12 and below. They were patched by Samsung in version 4.5.49.8 of the Galaxy App Store on January 01, weeks after NCC Group disclosed the vulnerability on December 03.
“Users should open the Galaxy App Store on their phone, and if prompted, download and install the latest version,” Gannon concluded.
The patches come nearly a year after cyber-criminals broke into the network of Samsung Electronics and stole source codes. More recently, the company revealed an unspecified number of its customers in the US had their personal information accessed by an unauthorized user in July 2022.