Two security flaws have been discovered in Samsung’s Galaxy Store app for Android. A local attacker could exploit this vulnerability to covertly install arbitrary apps or direct the victim to a malicious landing page on her web.
The issue is tracked as CVE-2023-21433 and CVE-2023-21434it was discovered South Korean conglomerate notified in November and December 2022 by NCC Group.Samsung Classified Bug as medium risk and released fix for version 126.96.36.199 which shipped earlier this month.
The Samsung Galaxy Store, formerly known as Samsung Apps and Galaxy Apps, is an app store exclusively for Android devices manufactured by Samsung. Released in September 2009.
The first of the two vulnerabilities, CVE-2023-21433, could allow a malicious Android app already installed on Samsung devices to install arbitrary applications available in the Galaxy Store.
Samsung explained that it was a case of improper access controls, which it said was patched with proper permissions to prevent unauthorized access.
Note that this drawback only affects Samsung devices running Android 12 and lower, not devices with the latest version (Android 13).
The second vulnerability, CVE-2023-21434, is related to an instance of improper input validation when limiting the list of domains that can be launched as domains. WebView From within your app, an attacker can effectively bypass filters and browse domains under your control.
“Tapping a malicious hyperlink in Google Chrome or tapping a malicious application pre-installed on a Samsung device can bypass Samsung’s URL filters and launch a web view to an attacker-controlled domain. said NCC Group researcher Ken Gannon.
This update replaces Samsung’s January 2023 Security Updates. fix some flawsSome of them can be used to modify carrier network parameters, control unauthorized BLE advertising, and execute arbitrary code.