Samsung Electronics Co. Ltd. has patched vulnerabilities in its Galaxy Store app that could have allowed bad actors to install any app on a targeted mobile device without the device owner’s knowledge or consent.
Detailed Jan. 20 by researchers at NCC Group plc, the first vulnerability, designated CVE-2023-21433, opens the door for attackers to install applications through an export function that does not safely handle incoming intents.
An attacker could exploit an existing application installed on a device to automatically install any application available in the Galaxy Store app without the user’s knowledge. The vulnerability does not apply to Android 13 thanks to changes made in the operating system, with only Android 12 and below affected.
The second vulnerability, designated CVE-2023-21434, is an improper input validation issue that could allow an attacker to execute JavaScript by launching a webpage. The issue is the result of an incorrectly configured filter in webview in the Galaxy Store app, allowing webview to browse to an attacker-controlled domain. By tapping a malicious hyperlink in Google Chrome or a pre-installed rogue application, an attacker can bypass Samsung’s URL filter to deliver malicious content to a user.
For both vulnerabilities, users are encouraged to install the latest update to the Galaxy Store app.
“As a general rule, outside of mobile device management type apps, apps should not be able to install other apps on mobile,” JT Keating, senior vice president of Strategic Initiatives at mobile security solutions provider Zimperium Inc., told SiliconANGLE. “It is part of the security advancements that mobile OS’s have over traditional OS’s.”
Mike Parkin, senior technical engineer at enterprise cyber risk remediation company Vulcan Cyber Ltd., said that although these are technically local exploits, the JavaScript version poses more of a concern.
“Though an attacker would have to get a victim to execute the hostile JavaScript and get their malicious application onto the Galaxy App Store to be downloaded, fortunately Samsung has already patched the issues,” Parkin explained. “Also, the first issue does not appear to be effective against Android 13, which has been available since August 2022.”
