Two security holes have been identified in the Samsung Galaxy Store programme for Android, which a local attacker might use to install arbitrary apps covertly or lead potential victims to bogus landing pages online.

The vulnerabilities were found by NCC Group and reported to the South Korean chaebol in December and November 2022. They were recorded as CVE-2023-21433 and CVE-2023-21434. The updates were included in version 4.5.49.8, which was published earlier this month. And Samsung categorized the bugs as medium risk.

Samsung Galaxy Store is a specialized software store used for Android smartphones made by Samsung. It was formerly called Samsung Apps and Galaxy Apps and debuted in September 2009.

Also read, Samsung Pre-Installed Apps Found With Several Critical Bugs

The first of the two flaws is CVE-2023-21433. It might allow a malicious Android app on a Samsung device to add any software from the Galaxy Store.

According to Samsung, the issue was one of incorrect access control and has already been fixed with the appropriate permissions to prevent unauthorized access.

It’s important to note that the flaw only affects Samsung devices running Android 12 and older. It does not affect those running the most recent version (Android 13).

Also, read Samsung Admits Data Breach Exposed Personal Information of Some US Customers.

The second flaw, CVE-2023-21434, is related to erroneous input validation when restricting the list of domains that can be launched as WebViews from within the app. This effectively allows a threat actor to get around the filter and navigate to an environment they control.

Recommendation

According to NCC Group researcher Ken Gannon, Samsung’s URL filter can be circumvented by tapping a malicious hyperlink in Google Chrome or opening a pre-installed rogue programme on a Samsung device.

The update was released at the same time as Samsung released security patches for January 2023 to address some weaknesses. Some may be used to alter carrier network settings, manage BLE advertising without authorization, and execute arbitrary code.