In the Samsung Galaxy Store application, two vulnerabilities were discovered for Android, which can be used by attackers for hidden installation of applications or sending potential victims to fraudulent target pages on the Internet.
Vulnerability under the identifiers CVE-2023-21433 and CVE-2023-21434 were discovered by the NCC Group in November and December last year. The South Korean conglomerate was promptly notified of the presence of vulnerabilities. Samsung itself classified them as vulnerabilities with moderate risk, and also released corrections with the version of the store 4.5.49.8.
The first of the two vulnerabilities, CVE-2023-21433, can allow the already installed fraudulent Android application on the Samsung device to install any other application available in the Galaxy Store store. Samsung described this as “case of improper control of access”, which, according to her, was fixed with appropriate permits to prevent unauthorized access. Vulnerability affects only Samsung devices operating Android 12 and earlier versions, and does not affect devices with the latest version (Android 13).
The second vulnerability, CVE-2023-21434, is associated with the case of improper verification of the input. It occurs when the list of domains is limited, which can be launched in a web presentation from the application. “Transition for malicious hyperlink from Google Chrome or a pre-installed fraudulent application on the Samsung device can bypass the Samsung URL filter and start the web examination of the domain controlled by the attackers,” said Ken Gannon, researcher NCC Group.
Samsung Galaxy Store, previously known as Samsung Apps and Galaxy Apps, is a specialized application store used for Android devices for Samsung. It was launched in September 2009.