Two Samsung Galaxy App Store flaws were exposed by Exploits

The Galaxy App Store is Samsung’s official repository of its products. Two flaws could allow attackers to download any app from the Galaxy Store and direct users to malicious websites.

Researchers from the NCC Group discovered these issues between November 23rd and December 3rd 2022.

On January 1, 2023, the Korean smartphone manufacturer announced that they had fixed two issues and launched a new version of Galaxy App Store (4.5.49.8).

The technical information for both security issues along with proof of concept (PoC), exploit codes for each.

Both attacks are local-accessible, which is easy for malware distributors and hackers targeting mobile devices.

Android app installation force

CVE-2023-2133 is the first flaw. It is an incorrect access control vulnerability that allows attackers install all applications on the Galaxy Store.

NCC found that Galaxy App Store doesn’t handle inbound intents properly, which allowed apps to make arbitrary requests for app installations.

Analysts at NCC share a PoC that tells an Android Debug Bridge (ADB) component to download the Pokemon Go game. This command sends an intent to the store with the target app.

Threat actors have more options when it comes to how they conduct attacks, as the intent can also indicate if the application needs to be opened after installation.

CVE-2023-2134, the second vulnerability, allows attackers to execute JavaScript from target devices.

NCC researchers discovered that the Galaxy App Store webviews contain a filter which limits what domains can be displayed in them. The filter was not properly set up and can be bypassed by the webview in order to allow it to view malicious domains.

If you click the link in the report, it will open a malicious JavaScript page and execute it on your device.

NCC explains that the only prerequisite for this attack is for the malicious domain to have the “player.glb.samsung-gamelauncher.com” part in it. Any domain can be registered by an attacker and added to it as a subdomain.

Impact on Samsung users

Security repercussions can be severe for those who run JavaScript code from webviews within Galaxy Store or other system-privilege applications.

Depending upon the motives of the attacker, an attack could result in app UI interaction or access to sensitive data.

Installing and automatically launching apps from the Galaxy Store may lead to privacy or data breaches. This is especially true if an attacker has uploaded a malicious application on the Galaxy Store.

CVE-2023-2133 cannot be exploited on Samsung phones running Android 13 even though they may use an outdated and vulnerable version. It is due to enhanced security protections in the most recent version of Google’s mobile operating system.

All Samsung phones that have not been supported by Samsung and are stuck to an older Galaxy Store version of the device are at risk from the vulnerabilities found by NCC Group researchers.