Two security flaws in Samsung‘s Galaxy Store app for Android have been discovered, which could be exploited by a local attacker to instal arbitrary apps or redirect prospective victims to fraudulent web landing pages.
The vulnerabilities, identified as CVE-2023-21433 and CVE-2023-21434, were discovered by NCC Group in November and December 2022 and reported to the South Korean chaebol. Samsung classified the bugs as moderately dangerous and fixed them in version 188.8.131.52, which was released earlier this month.
Samsung Galaxy Store, formerly known as Samsung Apps and Galaxy Apps, is a dedicated app store for Samsung Android devices. It debuted in September 2009.
CVE-2023-21433, the first of the two vulnerabilities, could allow an already installed rogue Android app on a Samsung device to instal any application available on the Galaxy Store.
Samsung described it as an instance of improper access control that has since been patched with proper permissions to prevent unauthorised access.
It’s worth noting that the issue only affects Samsung devices running Android 12 and earlier, not those running the most recent version (Android 13).
The second vulnerability, CVE-2023-21434, is caused by an instance of improper input validation when limiting the list of domains that can be launched as a WebView from within the app, allowing a threat actor to bypass the filter and browse to a domain under their control.
“Either tapping a malicious hyperlink in Google Chrome or launching a webview to an attacker-controlled domain can bypass Samsung’s URL filter,” NCC Group researcher Ken Gannon explained.
The update comes as Samsung released security updates for the month of January 2023 to address a number of flaws, some of which could be used to modify carrier network parameters, control BLE advertising without permission, and achieve arbitrary code execution.