Two security vulnerabilities have been identified in the Samsung Galaxy Store application for Android devices that could potentially be exploited by a local attacker to install arbitrary applications or redirect potential victims to fraudulent web pages. The vulnerabilities, designated as CVE-2023-21433 and CVE-2023-21434, were discovered by NCC Group and reported to Samsung in November and December 2022. Samsung has classified these issues as moderately risky and released a fix in version 4.5.49.8, which was distributed earlier this month.
The Samsung Galaxy Store, previously known as Samsung Apps and Galaxy Apps, is a dedicated application store for Android devices manufactured by Samsung. It was first launched in September 2009.
The first vulnerability, CVE-2023-21433, could allow a rogue Android application that is already installed on a Samsung device to install any application available on the Galaxy Store. Samsung has described this issue as an improper access control issue, which has been resolved by implementing proper permissions to prevent unauthorized access. It is important to note that this vulnerability only impacts Samsung devices running Android 12 and earlier versions and does not affect devices running the latest version of Android (version 13).
The second vulnerability, CVE-2023-21434, pertains to an instance of improper input validation that occurs when limiting the list of domains that can be launched as a WebView from within the app. This could enable a malicious actor to bypass the filter and access a domain under their control. According to NCC Group researcher Ken Gannon, “either tapping a malicious hyperlink in Google Chrome or a pre-installed rogue application on a Samsung device can bypass Samsung’s URL filter and launch a review to an attacker-controlled domain.”
This update is part of Samsung’s ongoing security efforts, as the company released security updates for the month of January 2023 to address several vulnerabilities, some of which could be exploited to modify carrier network parameters, control BLE advertising without permission, and achieve arbitrary code execution.